[email protected]

Aliases: I-Worm.Svoy.a
Variants: W32/Svoy.worm.gen

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 04 Jun 2004
Damage: Low

Characteristics: The [email protected] applicationutilizes Mapi.dll to transfer itself to the email addresses that it locates on the computer.

More details about [email protected]

The worm finds all the drives that are fixed and the drives of the ramdisk from the C to Y. The virus restore the address of the email from the files that have .db?, .html, .in?, .md?, .his, .htm, .ad?, .cnv, .ab?, .me, .csv, .tx?, .wa?, .xls, /doc, and .log. The worm will then replicate the email address to the files %System%Winmail.mls and %System%Winmail.mts that it searches. The worm launches itself to all of the addresses of the email that it searches. The subject is “Message is not delivered” or “he subject may be in Russian, in which case the message body will be in Russian as well”, and the Attachment is “This will be a 57,856 byte file. It will use the file name of one of the files created in step 1”.

Once the W32.svoy.A[email protected] was performed, the worm arrives to the email that is being sent with a line of the subject “Message is not delivered” and then consists of an attachment with a variable name. The attachment file has the .exe extension. Once the [email protected] was being run it will create the DOC .exe, WINMAIL.MTS .exe, FOTKA JPG .exe, WINMAIL.MLS .exe, H_UYY JPG .exe, README DOC .exe, IOx DOC .exe, RABOTA DOC .exe, I???¤?? ntv_ru .exe, PASSPORT JPG .exe, and MESSAGE .exe.