Aliases: Email-Worm.Win32.White.a, W32/Malware!0c72, W32/White, W32/White.40960, [email protected]
Variants: Win32/White.A, Worm.White.a, Worm/White.A.1, Worm:Win32/[email protected], WORM_WHITE.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia
Removal: Easy
Platform: W32
Discovered: 18 Feb 2000
Damage: Low

Characteristics: The W32.White.Worm program is an e-mail worm discovered in Korea. It was reported that a 15 year-old Korean student has written this worm. Once the worm is executed, it harvests e-mail addresses in the Microsoft Outlook Express inbox and sends lots of messages to these addresses with itself as the attachment. The worm affects all windows platform.

More details about W32.White.Worm

This worm is written in Visual Basic 6.0 and needs the files Mswinsck.ocx, msvmvb60.dll, and Msmap32.ocx. The first time W32.White.Worm is executed on the system, it pretends to run into an error when unpacking itself. In fact, the worm copied itself to the System directory as Rundll64.exe while unpacking. It then adds the registry key in order to execute itself each time the Windows starts. The worm persistently goes through messages in your Microsoft Outlook Express inbox, and for new e-mail addresses. It sends e-mail messages with the subject “Happy to WHITE(FILEz)” with a file attachment named “Yourlife.exe”. All of these actions make the computer more vulnerable to succeeding attacks. It can also download up-dates to itself through the Internet, without the consent or knowledge of the user and will block your keyboard and mouse.

The W32.White.Worm application takes advantage of exploits to infiltrate a computer. This application can be found embedded in websites that are not secure. The software can also be passed on the user’s machine through instant messaging programs. This happens when the user exchanges files with instant messaging applications. Systems that are not protected by firewalls and security programs are more susceptible in being infected with Trojan applications as well as other threats.