[email protected]

Aliases: Email-Worm.Win32.Womble.a, W32/Womble-B, W32/Womble.A, W32/[email protected], [email protected]
Variants: Win32/Womble.B, Win32:Wapplex, Worm.Mail.Agent.ag, Worm/Generic.WD, Worm/Womble

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 28 Aug 2006
Damage: Low

Characteristics: The [email protected] program is a mass mailing worm, which collects e-mail addresses on your compromised computer and duplicates its copies by exploiting the Microsoft Windows Graphics Rendering Engine WMF (SetAbortProc) Code Execution vulnerability that is described in Microsoft Security Bulletin MS06-001. This affects windows operating system such as Windows 95, Windows 2000, Windows Me, Windows 98, Windows Server 2003, Windows NT, and Windows XP.

More details about [email protected]

Once the worm is executed on your system, it copies itself as %System%\[ORIGINAL FILE NAME]. It as well creates current user’s profile. The worm is also claimed to add the values to the registry sub keys in order for the worm to run automatically every time Windows starts. This worm gathers e-mail addresses from your Windows Address Book and from any other files on your compromised computer. Then it sends a duplicate of its code to IP addresses it collects. The e-mail includes a subject such as action, beauty, FIFA, bush, etc. and comes with an attached file entitled new_picture.jpg.passw.zip, firefox_update.pif.zip and about_windows.wmf.passw.zip. These attachments exploit your Microsoft Windows Graphics Rendering Engine WMF (SetAbortProc) Code Execution vulnerability to drop and run the worm.

The computer infected by the [email protected] program can be used to attack other machines or servers. External devices such as webcams may be used to monitor the user’s actions in real time. Unauthorized remote users may install potentially harmful programs into the computer. Some may track the user’s browser activities. Others can acquire the usernames and passwords of several accounts. Anti-virus and security-related programs may also be disabled in order to prevent removal of the malware program.