[email protected]

Aliases: Trojan.Agent.A, W32/SillyWorm.N, Win32/Traxg.A, Worm.Nethood.a
Variants: Worm:Win32/[email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 09 Dec 2004
Damage: Low

Characteristics: The [email protected] program is a mass mailing worm, which utilizes MAPI to send a duplicate of the worm to e-mail addresses collected from the Outlook Address of the compromised PC. The worm is written on Chinese versions and affects Windows Operating System such as Windows 95, Windows 2000, Windows 98, Windows NT, Windows Me, Windows Server 2003, and Windows XP.

More details about [email protected]

Once [email protected] is run on your system, it creates a copy itself in order to be executed each time the Windows starts. The worm as well copies itself as %Windir%\FONTS\[RANDOM].com. and add a value on the registry. The virus is claimed to modify the registry sub keys to change your settings of Windows Explorer and adds "admin" to the user as an administrator's local group member of the victim computer. This process will the share your drive C as file named "C$" to the remote attacker. [email protected] collects e-mail addresses from Microsoft Outlook address and sends e-mail messages with attached files to all the gathered addresses it found on your system. The e-mail comes with a Subject name[CHINESE CHARACTERS], a message body and attachment named as [CHINESE CHARACTERS].exe

The [email protected] application also disables the system’s Firewall settings and Web connection sharing. It then opens a random port to serve as a backdoor into the system. This backdoor is a hidden access route that the remote attacker can utilize. The software can be commanded to configure the infected system. It can be programmed to imitate an FTP, SMTP, or HTTP server. The remote system hacker can then steal information and files, send e-mails or use the infected computer as a proxy server.