[email protected]

Aliases: I-Worm.Zoher, I-Worm.Zoher, Scherzo, Sheer, [email protected], W32/Sheer.A-mm
Variants: W32/Zoher, I-Worm/Zoher, WORM_ZOHER, W32/[email protected], Zoher Internet Worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 24 Dec 2001
Damage: Low

Characteristics: The [email protected] program is a worm that arrives as an Italian email message with an executable file attachment. The [email protected] worm attempts to execute itself and exploits Microsoft Outlook and Outlook Express vulnerability once the email message is opened or previewed.

More details about [email protected]

The [email protected] is a worm that distributes itself through email. It comes as a forwarded message with a body and a subject in Italian, and comes with an executable file. Once the mail is opened or previewed in the window pane, the [email protected] worm automatically runs itself and exploits the Microsoft Outlook, and Outlook Express vulnerability. The [email protected] worm tries to spread its copies in the infected machine’s local network. It then sends itself out to all addresses in the address book using the SMTP mail server address that is stored in the system registry. The program is also made to download a text file from a specific malicious site which it uses to write the subject and message text of the e-mails it sends.

Once the [email protected] worm is executed, it immediately sends itself to everyone in the Microsoft Windows address book. The [email protected] worm comes as a forwarded message having a subject of “Fw: Scherzo!” and a very long Italian message body and an executable file called “Javascript.exe.” On some systems, the executable file contained in the email is able to self-launch. This worm however does not install itself in the system, so cleaning up the infection is easy. Simply run a full system scan using the latest update of the infected computer’s security software, and delete all files that are detected as [email protected]