Aliases: W32.Logex.B, Win32:Logex, Win32/Roaller.B, W32/Roaller.B.worm, W32/Roaller.B
Variants: Email-Worm.Win32.Roaller.b, I-Worm.Roaller.b, W32/Roaller.worm.gen, Win32/[email protected], WORM_LOGEX.B

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 08 Aug 2003
Damage: Low

Characteristics: This Trojan Horse family is known for its ability to steal stored email addresses in various files in the infected computer system. The W32.Logex may use the harvested email addresses to target possible vulnerable machines to spread its codes by hijacking the user's account. When this malware is successfully executed into a compromised machine it will display an error message that the name of the Trojan Horse is not a valid 32-bit application.

More details about W32.Logex

A computer system which is infected by the W32.Logex will experience the display of a bogus error message which is designed to mimic a legitimate alert message from the operating system. It will drop two executable files into the directory folder used by the operating system. These files may use filenames that are associated with authentic system files. The W32.Logex will create a text file which is used to generate an executable file also in the same directory folder as the operating system. The executable file is a type of utility that is used by the malware to send spam email messages via the Simple Mail Transfer Protocol service. The W32.Logex will automatically load together with the operating system at every startup or boot up.

The automatic update feature of the W32.Logex is achieved by adding its own key values into the Windows Registry. It will use the Windows Registry service to hook certain applications associated with the functionalities of the operating system as well as email messaging clients. The W32.Logex will create two additional text files in the operating system directory folder. These text files are used to store harvested email addresses from HTML and HTM format files found in the infected computer system. The retrieved email addresses will be sent to a predefined address using a hard coded Simple Mail Transfer Protocol server.