[email protected]

Aliases: W32/[email protected], I-Worm/Yanz.B, [email protected], W32/Yanz.B.worm, NewHeur_PE
Variants: Win32.HLLM.SunYanzi.2, W32/Favsin-A, Win32/[email protected], WORM_YANZ.B, Worm/Yanz.B.3  

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 23 Nov 2004
Damage: Medium

Characteristics: The W32/[email protected] program is a mass mailing worm that utilizes its SMTP engine to spread itself by e-mail messages to addresses that it retrieves from the compromised computer. This worm affects windows platform such as Windows 95, Windows 2000, Windows Me, Windows 98, Windows Server 2003, Windows NT, and Windows XP

More details about [email protected]

[email protected] is written in the Microsoft Visual C++ programming language. Once the worm is executed; it displays a message box with WINDOWS PANIC as its title and a message saying “No Windows.” “Yes doors and holes”. The worm will then copy itself as %System%\NvCpl.EXE and %System%\Dong_Shi.exe to the system folder. It also creates other files to the Windows installation folder and when these processes are completed, the file sun.exe will run and creates “three .jpg” files under Temp folder. The particular file names have "SuN" as its prefix. It will then add value to the registry key in order for the worm to run every time the windows start. Creates a mutex "Stefanie Sun Yanzi", which allows only one instance of the worm to run.

Users may receive this application when it is bundled with other programs. These can be freeware and shareware software downloaded from unreliable websites. The program may also be included in files spread via peer-to-peer (P2P) file sharing networks. The [email protected] software can also be sent to the user in an e-mail or instant message. The content and subject line may label the file as a harmless file or a necessary program update. The malware program can also be installed in the system by other applications. The application places a number of files in the system. Registry changes are also made so it can run at system startup.