[email protected]

Aliases: Generic.Malware.SFM!prn.DA5CABEB, I-Worm/Brontok.DX, W32/Rontokbro.UF, W32/Worm.IKQ, Win32:[email protected] [Wrm]
Variants: Worm.Mail.Brontok.nt, Worm/Brontok.Q.12, Worm:Win32/Brontok.FC, WORM_BRONTOK.Q

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 25 Jan 2007
Damage: Medium

Characteristics: The [email protected] program is a mass mailing worm, which gathers e-mail addresses on the Windows Outlook of the compromised computer. It as well propagates on local drives and via removable media devices. It affects windows platforms such as Windows 95, Windows 98, Windows XP, Windows NT, Windows Me, and Windows 2000.

More details about [email protected]

When the worm is executed, it creates files on User profile as Local Settings\Temp\Reply.exe, Local Settings\Temp\taskmgr.txt, spoolsv.exe and Local Settings\Temp\spoolsv.tme. Next, [email protected] may as well create files such as Recycled.exe, Secret\Nice Sex.exe, Autorun.inf, 911 Death\911.exe, VDO\Nice Sex.exe, and Data Fair\Nice Sex.exe on all the drives. It as well creates, modifies and deletes registry entries in the registry. This worm is likely to modify autorun.inf file in an attempt to run the worm automatically whenever a removable media device is inserted in another computer. Then, it sends a copy of itself to e-mail addresses it gathered. The e-mail comes with a “Reply data folder” subject, a body message saying “Please Save Attachment File For Detail Data In File (Save Attachment and after that Open the DataFle Scan Virus)” and an attachment with a title Reply.exe.

The [email protected] software may enter a computer when the user accesses websites that have expired security certificates or websites that are embedded with illicit codes. The program stealthily executes on the user’s computer. It is possible that this Trojan application launches each time the system is rebooted. This program is also capable of spreading threats to other computers. Propagation is done through shared networks. P2P (peer-to-peer) file sharing programs may aid is spreading these threats. Many of the files that appear in P2P applications are threats. They take the filenames of popular searches and downloads or legitimate programs to avoid suspicion from users. The users mistakenly download these files into their computers.