Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Matcher@mm.28672

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 17 Apr 2001 03:00:00
Description created 17 Apr 2001 03:00:00
Description updated 17 Apr 2001 03:00:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Matcher@mm.28672

Spreading

This is a massmailing email worm written in Visual Basic 6 that spreads through Outlook. When it is executed it will send itself to email addresses taken from the Outlook Address book.

Payload Details

It installs itself in the registry under the key


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run (default) = \MATCHER.EXE

so that the worm is run every time the machine starts. An additional effect is that the following lines are inserted into the AUTOEXEC.BAT file:



@echo off
echo from: Bugger
pause Thus, machines infected with this worm will show the message from: Buggeron the screen during startup and wait for the user to press a key. Since the worm is started every time the computer is started, this message can be entered repeatedly into AUTOEXEC.BAT.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:10