Selected viruses, spyware, and other threats: sorted alphabetically
I-worm.Energy comes from the Czech Republic and is spread
in a rather interesting way. It spreads from an infected computer by means
of files which accompany email messages as their attachments. The worm is not spread in any attachment; it spreads only in those compressed with help of the program RAR. The worm adds the file SETUP.EXE, which contains its copy, into the archive file.
When the file SETUP.EXE is started from an infected archive the worm copies itself as a file ENERGY.EXE into Windows system directory (this is typically C:\WINDOWS\SYSTEM) which it finds out by calling the API function GetSystemDirectory. Then it registers itself as system service and downloads addresses of system functions. It finds out currently running processes and tries to infect them on the background. If the attacked process uses library MAPI32.DLL the worm will for this process modify the function MAPISendMail which is used
when sending email. Upon sending out the mail the worm checks the number of attachments. It checks whether they do not have extension RAR. If they do, it attacks them.
Each copy of the worm contains the following text:
[I-Worm.Energy] by Benny/29A.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.