[email protected]

Aliases: W32/Zush, Win32/Zush.A, Email-Worm.Win32.Zush, I-Worm.Zush, W32/HLL.ow.Zush
Variants: W32/Zush-A, Win32/[email protected], W32/Zush.A, I-Worm/Zush.B , [email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 24 Sep 2001
Damage: Low

Characteristics: The [email protected] program is a worm that spreads itself without any user intervention. It copies itself to a system file and then sends email to all the contacts it finds in the Windows Address Book.

More details about [email protected]

The [email protected] is a mass-mailing worm that affects most Windows Operating System. Its objective is to spread itself and infect computers as many as possible. This is done by creating duplicates of themselves, collecting email addresses from the infected computer’s address book, and sends themselves to the collected email addresses. The email distributed by the [email protected] looks seemingly like a regular email from a regular person, except for its subject which is written in Spanish. When an email is contained with the [email protected] worm, it activates itself instantly the mail is previewed. The [email protected] runs in the infected system’s background as a system process, using up system resources. This greatly affects the system’s performance and functionality, which usually ends in abnormal system behavior, and in worst case, system crash.

When the [email protected] worm is launched, it locates the infected computer’s system folder, and creates a copy of itself as a system executable file “System32.exe.” It then sends emails to all the contacts it finds in the user’s email list, with subject “Vazna informacija!”, random message body, and an executable file attachment. If a computer is infected with the [email protected] worm, its system performance may become poor and unresponsive. This may be fixed though by removing the worm. To do this, the user should disable system restore, to prevent restoration of the [email protected] worm. Then through the updated security software installed in the computer, run a full system scan, and then delete all the files detected as [email protected]