Malware type: Worm

Aliases: Email-Worm.Win32.Zhelatin.ct (Kaspersky), Trojan.Peacomm (Symantec), TR/Small.DBY.BW (Avira), Troj/Dorf-B (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

This worm arrives as an attachment to mass-mailed email messages. Below is a screenshot of the abovementioned email messages this worm arrives in:

The main body of the email is actually an image file (*.GIF). The use of an image file to contain the actual message text is a technique that allows it to bypass email filters such as antispam applications. The combined techniques that are employed by this particular malware increase its chances of evading security filters within a network and eventually end up in a user's inbox.

It uses the protocol of eDonkey, a P2P application, to download and execute components from other "peers". It creates a file, whose contents are hardcoded in its body, that contains the initial list of "peers" where it can connect to. This list gets updated once connections are established.

This worm also drops a file detected by Trend Micro as TROJ_DORF.AA. This dropped Trojan is a rootkit the helps hide this worm's components and activities, making its detection and removal difficult.

For additional information about this threat, see:
Solution
Technical Details

Description created: Apr. 12, 2007 12:58:40 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.