Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

I-worm.Energy


I-worm.Energy comes from the Czech Republic and is spread in a rather interesting way.  It spreads from an infected computer by means of files which accompany email messages as their attachments.  The worm is not spread in any attachment; it spreads only in those compressed with help of the program RAR.  The worm adds the file SETUP.EXE, which contains its copy, into the archive file.  When the file SETUP.EXE is started from an infected archive the worm copies itself as a file ENERGY.EXE into Windows system directory (this is typically C:\WINDOWS\SYSTEM) which it finds out by calling the API function GetSystemDirectory.  Then it registers itself as system service and downloads addresses of system functions.  It finds out currently running processes and tries to infect them on the background.  If the attacked process uses library MAPI32.DLL the worm will for this process modify the function MAPISendMail which is used when sending email. Upon sending out the mail the worm checks the number of attachments. It checks whether they do not have extension RAR.  If they do, it attacks them.
Each copy of the worm contains the following text:

 

[I-Worm.Energy] by Benny/29A.

 



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page