[email protected]

Aliases: Generic.PWS.WoW.95C6C567, Generic3.GPO, TR/PSW.43008
Variants: Trojan.PSW.WoWar.afg, W32/OnLineGames.AEPR

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 05 Mar 2007
Damage: Low

Characteristics: The [email protected] program is a mass mailing worm that infects Windows systems such as Windows 95, Windows 2000, Windows Me, Windows 98, Windows NT, and Windows XP. This worm spreads through e-mail.

More details about [email protected]

Once [email protected] is executed, it creates SetupV9.exe and Srvpl0.dll in the system folder. It creates the registry entry in order for the worm to run automatically when the Windows starts. This worm is claimed to hook the wow.exe application, which is related with the program “World of Warcraft”. This can steal account information on your program. The worm logs stolen data in the file as %System%\KBOutLook.log. [email protected] collects e-mail addresses from your Outlook Express and from Windows Address Book. These e-mail addresses are as well stored in the KBOutLook.log file.The worm sends a copy of itself using commands of MAPI to the addresses collected. The e-mail has a subject entitled “Hi,I just get some imformation of the Blizzard Entertainment,pls kindly check in the attachment.”, “Chinese test missile obliterates satellite!” and “That souds best for us”. The message body talks about a missile and attached file is named as SetupV9.zip.

The worm as well sets the registry entries to affect the behavior of various versions of Outlook Express. [email protected] infects htm, asp, html, jsp and php by inserting a link to the web site. The data that has been collected you’re your compromised computer is sent to a particular URL and creates a file in order to log errors.