[email protected]


Aliases: I-Worm.Sponbob, W32/[email protected], Win32.HLLM.Generic.33, W32/Alcaul-AC, Win32/[email protected],
Variants: WORM_SPONGE.A, W32/Sponge.A.1, W32/[email protected], Win32:SpongeBob, I-Worm/Sponge,

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 30 Oct 2002
Damage: Low

Characteristics: The [email protected] application is a mass mailing worm that utilizes Microsoft Outlook to multiply itself to all contacts in the address book of Microsoft Outlook.

More details about [email protected]

The [email protected] program is a mass mailing worm that utilizes Microsoft Outlook to spread itself to all contacts in the address book of the Microsoft Outlook. The email has the subject “Spongebob Wallpaper” and attachment “Spongy.exe”. The [email protected] overwrites .pif and .scr files in all folders apart from the root folder. The worm adds code to the end of .htm files in all folders aside from the root folder. The [email protected] has a universal component that is utilized to contaminate MS Word files and the global template “Normal.dot”. The worm is detected as “W97M.Sponge”. It is written in the Microsoft VB programming language and compressed making use of UPX.

When the [email protected] worm runs, it creates 2 hidden subfolders which is “C:\%windir%Kn0x3” and “C:Explore”. Then the worm duplicates itself as “C:\%windir%kn0xace1.com”, “C:ExploreHelp.exe”, “C:Porno.scr”, “C:Jokes.pif”, “C:SpongeBob_Game.exe”, “C:SpongeBob.scr”, and “C:SpongeBob.com”. The characteristics of the files SpongeBob_Game.exe, Jokes.pif, SpongeBob.com, and SpongeBob.scr and are modified to hidden and read-only. It makes “C:SpongeBob.eml”. This is an e-mail file that contain the worm as it attachment. It changes all .pif and .scr files in all folders apart from the root folder. It adds code to all “.htm” files in all folders apart from the root folder. The code is intended to open the worm from the contaminated files, but it can’t do so since a threat in the code.