[email protected]

Aliases: Win32:Yenik,   I-Worm/Yenik.A,   [email protected],   W32/Yenik.A.worm,   Win32/Yenik.A
Variants: [email protected],  W32/Yenik-A, Win32/[email protected], WORM_YENIK.A, Worm/Yenik

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 10 Feb 2004
Damage: Low

Characteristics: The W32/[email protected] program is a worm that sends itself through e-mail to the addresses found in the Microsoft Outlook address book. The e-mail attachment comes with a variable subject and variable name of the attachment. The attachment has a .exe file extension. It will as well attempt to spread via network shares, such as Morpheus, KaZaA, eMule, BearShare, eDonkey, and Grokster, and ICQ.

More details about [email protected]

When W32/[email protected] is executed on your system, it attempts to copy %System%\Updater.exe in the recent working directory (this is the directory in which the file was executed) as NewVirusCleaner.exe, WinXP-SP1.exe, W32-Myd00m_Blocker.exe, VirusHunherII.exe, InternetExplorerSecurity.exe, FreeAntivirus.exe, PrivateMessage.exe, Patcher.exe, and Win98Security.exe. The worm will utilize account information from the registry key and SMTP server to e-mail itself to all addresses it found on the Windows Address Book. The subject, message body, and attachment vary. They could be temporarily stored as Yeni.txt, found in current working directory. The e-mail comes with a subject Big Virus Cleaner Tools, Internet Explorer Security Bug Fix, New Private Message, Win98 Security Tools, No Virus and New Life, New Security Patcher and Free Antivirus.

The [email protected] application enters a computer stealthily. It may unknowingly be downloaded by the user when visiting websites that are embedded with illicit codes. A computer that is not updated with the latest patch for vulnerabilities is easily infected with this application. The software takes advantage of program errors to enter the computer without being detected by the user. The [email protected] software creates a backdoor on the affected computer. A remote user can use this backdoor to send some commands to the Trojan program. These commands consist of activities that may decrease the system’s performance. This includes uploading and downloading of unwanted content, starting web attacks and removing important files from the user’s machine.