Win32.Holar, W32/Holar-A, I-Worm.Holar, W32/[email protected]
Email-Worm.Win32.Holar.a, W32/[email protected]
, W32/Holar.gen, Win32.HLLM.Generic.76, Win32:Trojan-gen
Category: Computer Worm
Active & Spreading
31 Jul 2002
Belonging to the mass mailing Worm category, the [email protected]
makes use of the address book contents to send its codes to potential victims. Normally this malware may rely on its own Simple Mail Transfer Protocol engine or the default email messaging client of the infected computer system. Aside from email messages, this malware can spread to other computer systems using network shares, Internet Relay Chat, or Instant Messaging.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
On initial execution, the [email protected]
will place a copy of itself into the directory folder of the operating system. The dropped file normally has a randomly generated filename but will carry either a SCR or PIF file extension. The Worm will generate additional files which will serve as Web server components, storage for Multipurpose Internet Mail Extensions of the Worm, and an iFrame instruction container which can redirect the Web browser to an EML format file stored in the hard drive. The [email protected]
may also extract its codes into HTML and HTM format files by using the same EML file. The Windows Registry will be modified by the [email protected]
to allow it and its Web server component to load automatically on boot up or restart.
The [email protected]
would begin to scan the contents of the address book of the email client as well as HTM and HTML files to retrieve email addresses. The Worm will target these email addresses by retrieving the SMTP address and Proxy address from the Windows Registry of the compromised computer system. The email message sent by the [email protected]
has a blank message body with the filename of the attachment being the same as the text in the subject line. The [email protected]
has been observed to exploit MIME vulnerability allowing infection when the message is previewed or read by the recipient.