Malware type: Worm

Aliases: Backdoor.Win32.GoogBot.a (Kaspersky), W32/Duce.a@MM (McAfee), TR/Agent.80384.4 (Avira),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.



Malware Overview

This worm may arrive as a file downloaded from a link attachment to email messages.

Upon execution, it drops a copy of itself in the Windows system folder and creates a registry entry to ensure its automatic execution at every system startup

It also overwrites the HOSTS file to disable access to certain security-related Web sites.

It spreads via email by using its own Simple Mail Transfer Protocol (SMTP) engine. Having its own SMTP engine no longer requires it to use other email applications, such as MS Outlook. It gathers email addresses by searching the affected machine for files with certain extensions.

It may also query email addresses from a certain registry key.

The details of the email it sends out are listed here.

Below is a sample of the said email message:

For additional information about this threat, see:
Solution
Technical Details

Description created: Sep. 12, 2007 5:47:05 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.