Email-Worm.Win32.MsWorld, I-Worm.MsWorld, W32/[email protected]
, Win32.HLLW.MsWorld, Win32/[email protected]
Category: Computer Worm
Asia, South America, North America, Europe, Africa, Australia and New Zealand, Canada
05 Jan 2001
The malware [email protected]
is a mass mailing worm. It is written in the Visual Basic language. This worm utilizes the Macromedia Flash program’s presentation for masking its malicious purposes. This security risk likewise tries to alter the file autoexec.bat so it can format the drive C:\ when the system is restarted. It also tries to delete the some files in the Windows Registry.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
Upon being run in the victim machine, the [email protected]
worm will check for the presence of the MS Outlook application. Once found, it will try to use it for propagating. When this worm is executed, it will display so-called Miss World pictures and then execute 2 Trojan routines. These pictures have sexy girls on them but with a man’s face. This worm uses the typical way for spreading and that is thru using the MS Outlook. This worm will scan the address book of the application and then collect 50 email addresses at the very least and then sends email messages to them. The sent messages have the subject ‘Miss World’ and the body ‘Hi and some random characters’. The exe file attached to this email message contains a copy of the worm. This worm is also known to append DOS batch commands to the last portion of the file autoexec.bat so that it will display a message.
The [email protected]
worm will also attempt to format every local fixed drive and attempt to delete the system registry files plus the backups which include the files system.dat, system.da0, user.da0 and user.dat. However, since theses files are typically locked by the operating system for protection, the worm will most likely fail to delete them and will exit itself instead. The [email protected]
program drops its core components on the Windows system folder. These files are used by the application as its main executable file. The same file is transmitted to the shared folders available on the network. The wmiprvsc.exe file is registered as a system service. This allows the program to execute automatically every time Windows boots up. The file is displayed on the computer as the Windows Update Process service.