[email protected]

Aliases: Backdoor.Win32.Stub.k, Email-Worm.Win32.Delf.n, W32/Generic.Delphi.c
Variants: W32/Stubbot-B, WORM_STUBBOT.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 19 May 2005
Damage: Medium

Characteristics: This application can affect Windows Operating System platforms such as Windows 95, Windows 2000, Windows Me, Windows 98, Windows NT, Windows XP, and Windows Server 2003.

More details about [email protected]

Once the [email protected] is being executed, It creates a copy or duplicates itself to the System folder. It also adds a folder, a value to the sub key so that the danger runs each time you start your Windows. This worm also copies itself using various file names. Into the ZIP format, it compresses the copied file. This worm attaches the file .zip to the emails that it is sending. All the way through the P2P file-sharing networks, this may spread. There are so many file share names that this worm uses. It tries to propagate to created IP addresses randomly by duplicating itself to the network shares. This worm tries to use passwords so it can access to network shares that were protected by passwords that are weak.

[email protected] has also possibilities to spread to computers that already been infected by Mydoom. It also collects email address from the files extensions. It sends a duplicate of itself to the collected email address. These email addresses have the characteristics of coming from names appended by domains having subjects of Mail delivery Failure, Hello there :), Protected Mail Delivery, Mail Encoded, Message Error, or Mail Authentification. It also has messages with attachment. Lastly, it connects to IRC server on irc.ircme.net domain on the TCP port 6667 and listens for some commands from a tracker that is remote, which allows the invader to Log keys, steal information from the system, support plugins, terminates processes, transfer, download, and execute files.