Trojan.Agent.A, W32/SillyWorm.N, Win32/Traxg.A, Worm.Nethood.a
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
09 Dec 2004
The [email protected]
program is a mass mailing worm, which utilizes MAPI to send a duplicate of the worm to e-mail addresses collected from the Outlook Address of the compromised PC. The worm is written on Chinese versions and affects Windows Operating System such as Windows 95, Windows 2000, Windows 98, Windows NT, Windows Me, Windows Server 2003, and Windows XP.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
Once [email protected]
is run on your system, it creates a copy itself in order to be executed each time the Windows starts. The worm as well copies itself as %Windir%\FONTS\[RANDOM].com. and add a value on the registry. The virus is claimed to modify the registry sub keys to change your settings of Windows Explorer and adds "admin" to the user as an administrator's local group member of the victim computer. This process will the share your drive C as file named "C$" to the remote attacker. [email protected]
collects e-mail addresses from Microsoft Outlook address and sends e-mail messages with attached files to all the gathered addresses it found on your system. The e-mail comes with a Subject name[CHINESE CHARACTERS], a message body and attachment named as [CHINESE CHARACTERS].exe
The [email protected]
application also disables the system’s Firewall settings and Web connection sharing. It then opens a random port to serve as a backdoor into the system. This backdoor is a hidden access route that the remote attacker can utilize. The software can be commanded to configure the infected system. It can be programmed to imitate an FTP, SMTP, or HTTP server. The remote system hacker can then steal information and files, send e-mails or use the infected computer as a proxy server.