[email protected]

Aliases: Downloader.Small.5.AE, Trojan-Downloader.Win32.Small.jb, Trojan.Downloader.Wallon.A, TROJ_WALLON.A, W32/DLoader.DDVY
Variants: W32/Downldr2.AEIU, W32/Wallon.worm.gen, Win32:StartPage-007 [Trj], Worm:Win32/[email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 11 May 2004
Damage: Low

Characteristics: The [email protected] application is a mass mailing worm. It sends e-mail messages that contain a link to download the worm from particular URLs. It as well collects the e-mail addresses on an infected device. The worm affects Windows 95, Windows 2000, Windows Me, Windows 98, Windows Server 2003, Windows NT, and Windows XP

More details about [email protected]

[email protected] is an e-mail with a hyperlink in the body of the message. The e-mail utilizes Internet Explorer vulnerability and exploits Microsoft Security Bulletin MS04-013 and Microsoft Security Bulletin MS04-004 to show an obfuscated hyperlink. Clicking these links redirects you to a site where in you will download "wmplayer.exe" your Media Player. The site can attempt to use an Outlook Express, mentioned in Microsoft Security Bulletin MS04-013, to download the file and execute it. Since the worm intends to overwrite your Windows Media Player, any attempts to open this program on an infected PC will get a copy of the worm.

The [email protected] software can execute a number of commands on the system. These are done without the user’s consent. The program typically runs in the background. It may remove security programs so that it can run without being detected. The user’s data files may be copied or deleted suddenly. The disk drive may be opened and closed unexpectedly. Computer activities may be monitored using a keylogger function. Webcams may be suddenly turned on to capture images. The infected computer can also be used for remote server attacks. These commonly involve sending large amounts of information to crash a web server.