[email protected]


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 20 Jun 2006
Damage: Medium

Characteristics: The [email protected] program is a mass mailing worm that spreads email messages about the World Cup.

More details about [email protected]

When the [email protected] worm is opened, it duplicates itself as “%System%msctools.exe”. It makes the “Mutex dezas” so that only one example of the worm opens on the computer system. The worm adds the value "nsdevice" = "%System%msctools.exe" to the registry subkeys, so that it’s opened each time Windows begins. The worm adds the value "mls" = "0" to the registry subkey. The [email protected] worm executes and downloads a file from “[http://]couplesexxx.com/tumbs/dianai[REMOVED]”, if the registry entry isn’t “install”. The worm store the downloaded file as “%Temp% emp[RANDOM].exe.”. It looks for files with the extensions such as “wab”, “adb”, “msg”, “dbx”, “mbx”, “mdx”, “eml”, “nch”, “txt”, “tbb”, “tbi”, “html”, “htm”, “xml”, “doc”, “rtf”, “msg”, “xls”, “sht”, and “oft” for e-mail addresses in the drive C.

The [email protected] worm can be eliminated manually. To do this, you must first check your virus definitions if it is updated. You need to run a complete system scan and eliminate all the files it detected as [email protected] Erase or change the value that the worm added to your system registry. To remove the value from the system registry, click the “start” menu, and then go to “Run” (the Run box shows). Type “regedit” and then press the “OK” button (the registry editor shows). Go to the registry key. In the right pane, double-click each of these values "nsdevice" = "%System%\msctools.exe" or "mls" = "0" and change them as desired. After you have finished that, close the registry editor.