[email protected]

Aliases: Email-Worm.Win32.Silly.b, I-Worm.Silly.b, W32/Wukill.worm, Win32.HLLW.Generic.81, W32/WuKill-D
Variants: WORM_WUKILL.C, Win32:Wukill-C, I-Worm/Wukill.D, W32/Wukill.B.worm, NewHeur_PE

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 17 May 2005
Damage: Low

Characteristics: The W32/[email protected] program is a mass mailing worm that spreads itself via sending e-mail to all the contacts it finds in the Windows Address Book and can also spread via network shares. This worm affects windows platfor such as Windows 95, Windows 2000, Windows 98, Windows NT, Windows Server 2003, Windows Me, and Windows XP

More details about [email protected]

When [email protected] is executed, it displays a warning message saying that the file has been damaged. This worm copies itself as Mstray.exe and Mshelp.exe to the windows installation folder. It adds values on the registry sub key to ensure that the full path shows on the title bar of Windows Explorer and in order to prevent the Windows Explorer from showing file extensions and hidden files. The worm also injects itself to the csrss.exe running process, if present and monitors active Windows Explorer. If title bar matches the recent location of [email protected], the worm makes new copy of itself in a random location, launches the new copy, and exits. The worm then deletes the old copy of itself.

Once it is installed in the system, the [email protected] program creates a copy of itself. It will usually place this file in the System32 folder of the Windows directory. It will also install itself in the registry to guarantee that it runs immediately during startup. This allows it to reappear even after deletion.