Category: Computer Worm
Europe, North and South America, and some parts of Asia and Australia
23 Dec 2002
The W32/[email protected]
is a mass mailing worm which only activateswhen certain conditionsare met. The worm mass mails to transmit itself to contact in your local email address. The author chose to give this to AVERT. This worm automatically recovers email addresses from files with .asp, .doc, .ht*, .php, and .xls files in the compromised computer’s personal folder, favorites folder, temporary Internet files cache folder and the desktop folder.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
This worm also uses its own SMTP engine to transmit a zipped copy of itself to all email addresses it finds. The email is text, base64 encoded, and e-mail with a ".zip" file attachment. The email contains this Subject texts stating, “Fw: Interesting! Re: Thanks,"hi, "Keep Smiling! :) Christman Greetings,”The Body may be,"look what i've made,"awesome stuff, check att” and "Something Special!" This also contains an attachment with files named as, "Happy_XMas.zip,"Happyy2k3.zi,"BestWishes.zip" and "attachment.zip." Once this “.zip” file is clicked, the embedded ".exe” files will open and the worm will generate new files saved in the windows directory folder. These files are bacoorfina.exe, bacoorfina.txt, bacoorfina.eml and bacoorfina.zip. This “bacoorfina.exe” file is known as thirty-two portable executable file which has a size of 7520 bytes and packed with FSG.
Once installed, the [email protected]
application will carry out tasks it was programmed to do. Allegedly, one of these tasks is to open a backdoor in the affected machine. This Trojan is composed of three parts which are the server, client, and/ or editor to allow a hacker to remotely control a computer. The server is installed in the hacker’s computer. This is responsible for communicating with the infected computer through the client. Meanwhile, the client is installed in the compromised machine and receives commands from the hacker. The editor, on the other hand, is an added tool, which allows the attacker to define the capabilities and limitations of the [email protected]