I-Worm.Welyah.a, W32/[email protected]
, Win32.HLLM.Shoho, W32/Shoho-Fam, Win32/[email protected]
WORM_SHOHO.C, Worm/WelYah, W32/[email protected]
, Win32:Shoho, I-Worm/Shoho
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
20 Dec 2001
The [email protected]
program is a mass-mailing worm that is written in the Visual Basic language. This worm also utilizes the IFRAME vulnerability that enables Microsoft Outlook to open the attachment automatically.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
When the [email protected]
program is opened, it duplicates itself to the WindowsSystem and Windows folder as “Winl0g0n.exe”. Just for an additional information, the filename has (0) zeros, not the letter “O”. The worm then adds the value “. It then adds the value “WINL0G0N C:windowsWINL0G0N.EXE” to the registry key. This will cause the [email protected]
program to be opened every time you open windows. The [email protected]
program then makes the file “Email.txt” in the similar folder as the worm. The Mime Base64 encoded version of the worm is “Email.txt”. The worm virus will utilize this file to send itself. The [email protected]
program also makes the file “Emailinfo.txt” in the similar location. This file is utilized to save email addresses that the [email protected]
program finds on your PC.
The [email protected]
searches your PC for email addresses in files that have “.mbx”, “.wab”, “.mbx”, “.eml”, “.xlt”, “.xls”, and “.mdb” extensions, and puts them to the “Emailinfo.txt” file. It then utilizes its SMTP engine to spread itself to those email addresses. The [email protected]
program has these features: Subject “Welcome to Yahoo Mail!, Attachment “Readme.txt.pif”. Take note that there could be a lot of blank spaces between “.pif” and “.txt” file extensions. This is made to trick you into believing that the [email protected] program is just a .txt file, when it’s actually an executable .pif file. The [email protected] program utilizes the IFRAME that enables MS Outlook open the attachment automatically.