I-Worm.Antiman.D1, Email-Worm.Win32.Antiman.c, W32/Antiman-D, Win32/Antiman.worm.44544, W32/Generic.Delphi.c
not-a-virus:AdWare.Win32.AdMoke, Email-Worm.Win32.Antiman, WORM_ANTIMAN, W32/[email protected]
Category: Computer Worm
Active & Spreading
Europe, North America
25 Apr 2005
The [email protected]
malware is equipped with a Simple Mail Transfer Protocol engine allowing it to freely send email messages to addresses harvested from the infected machine. As a mass mailing Worm, its payload delivery requires the recipient to launch its attached file. This is done via misleading email message contents.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
As a mass mailing Worm, the [email protected]
program normally arrives at a targeted computer system as a seemingly innocent file attachment. When launched, it extracts the file funny.scr into the Windows directory. A certain Windows Registry key is searched to install an instance of its main executable file. This causes the malware to automatically load at every startup or reboot process. Another file named startwin.exe is placed by the [email protected]
program into the Startup subfolder of the user's account. Another file called m.txt is placed in the root directory of the main hard drive. The keys SCRNSAVE.EXE and ScreenSaveTimeOut are added into the system's Windows Registry key. Email addresses are retrieved by the [email protected]
program from the email's outbox, inbox, and deleted items folders of Microsoft Outlook. The log files of the Yahoo! Instant Messenger client is also inspected by this malware to gather more email addresses to target.
The [email protected]
malware's own SMTP engine coordinates with the SMTP server of the hijacked machine to make sure that all email messages are successfully sent to their intended recipients. The [email protected]
malware chooses from a predefined set of subject lines, message body, and file attachment names when attempting to send out email messages to the harvested email addresses. The file attachments may have one or more file extensions. Regardless of the number of file extensions used, EXE will always be the last extension of the file attachment.