[email protected]

Aliases: Worm.Win32.VB.ad, W32/Generic.worm!p2p
Variants: Worm/VB.AD.1, Trj/Multidropper.XU

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 15 Apr 2005
Damage: Medium

Characteristics: The [email protected] program is a worm that utilizes its SMTP engine to send itself as an email attachment.

More details about [email protected]

When the [email protected] worm is opened, it duplicates itself as “%System%lsess.exe” file. It makes these “%System%lsess.zip”, “%System%credit card.zip”, “%System%edonkey 1.1.zip”, “%System%emoticons msn.zip”, “%System%hotmail passwords howto.me.zip”, “%System%lsess.zip”, “%System% orton antivirus.zip”, “%System%overnet full.zip”, “%System%windows commander.zip”, “%System%windows xp activate.zip”, and “%System%winzip cracked.zip” zip files, which are the archive duplicates of the worm. The [email protected] program drops the “%System%zlib.dll” and “%System$ansmtp.dll” files. The worm adds the value "lsess" = "%System%lsess.exe" to the registry subkeys, so the worm opens each time Windows starts. The [email protected] extracts email addresses from any of the following extensions: “EML”, “DOC”, “DHTM”, “DBX”, or “ADB” extensions. It avoids making use of addresses with the “@antivir”, “@avp”, “@fbi”, “@f-pro”, “@freeav”, and “@f-secur” strings.

The [email protected] program registers the SMTP engine by making registry entries. It utilizes its SMTP engine to spread e-mail messages to any addresses it locates. The E-mail can have one of these subjects: “Administration”, “Bad Request”, “Delivery Protection”, “Delivery Server”, “Encripted Mail”, “Error”, “Extended Mail”, or “Extended Mail System”, Message: “Bad Gateway: The message has been attached”, “Delivered message is attached”, “Encrypted message is available”, “ESMTP [Secure Mail System #334]: Secure message is attached”, “First part of the secure mail is available”, “Follow the instructions t read the message”, “For further details see the attachment”, or “Forwarded message is available”, Attachment: “data.zip”, “details.zip”, “document.zip”, “Message.zip”, “msg.zip”, or “readme.zip”. The [email protected] worm ends these processes “avpmon.exe”, “avp32.exe”, “VPC32”, “zonealarm.exe”, “vshwin32.exe”, “vet95.exe”, “tbscan.exe, “ and “serv95.exe”.