Backdoor.Win32.Stub.k, Email-Worm.Win32.Delf.n, W32/Generic.Delphi.c
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
19 May 2005
This application can affect Windows Operating System platforms such as Windows 95, Windows 2000, Windows Me, Windows 98, Windows NT, Windows XP, and Windows Server 2003.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
Once the [email protected]
is being executed, It creates a copy or duplicates itself to the System folder. It also adds a folder, a value to the sub key so that the danger runs each time you start your Windows. This worm also copies itself using various file names. Into the ZIP format, it compresses the copied file. This worm attaches the file .zip to the emails that it is sending. All the way through the P2P file-sharing networks, this may spread. There are so many file share names that this worm uses. It tries to propagate to created IP addresses randomly by duplicating itself to the network shares. This worm tries to use passwords so it can access to network shares that were protected by passwords that are weak.
has also possibilities to spread to computers that already been infected by Mydoom. It also collects email address from the files extensions. It sends a duplicate of itself to the collected email address. These email addresses have the characteristics of coming from names appended by domains having subjects of Mail delivery Failure, Hello there :), Protected Mail Delivery, Mail Encoded, Message Error, or Mail Authentification. It also has messages with attachment. Lastly, it connects to IRC server on irc.ircme.net domain on the TCP port 6667 and listens for some commands from a tracker that is remote, which allows the invader to Log keys, steal information from the system, support plugins, terminates processes, transfer, download, and execute files.