Email-Worm.Win32.Silly.b, I-Worm.Silly.b, W32/Wukill.worm, Win32.HLLW.Generic.81, W32/WuKill-D
WORM_WUKILL.C, Win32:Wukill-C, I-Worm/Wukill.D, W32/Wukill.B.worm, NewHeur_PE
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
17 May 2005
The W32/[email protected]
program is a mass mailing worm that spreads itself via sending e-mail to all the contacts it finds in the Windows Address Book and can also spread via network shares. This worm affects windows platfor such as Windows 95, Windows 2000, Windows 98, Windows NT, Windows Server 2003, Windows Me, and Windows XP
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
When [email protected]
is executed, it displays a warning message saying that the file has been damaged. This worm copies itself as Mstray.exe and Mshelp.exe to the windows installation folder. It adds values on the registry sub key to ensure that the full path shows on the title bar of Windows Explorer and in order to prevent the Windows Explorer from showing file extensions and hidden files. The worm also injects itself to the csrss.exe running process, if present and monitors active Windows Explorer. If title bar matches the recent location of [email protected]
, the worm makes new copy of itself in a random location, launches the new copy, and exits. The worm then deletes the old copy of itself.
Once it is installed in the system, the [email protected]
program creates a copy of itself. It will usually place this file in the System32 folder of the Windows directory. It will also install itself in the registry to guarantee that it runs immediately during startup. This allows it to reappear even after deletion.