W32.HLLW.Indor.E@mm

W32.HLLW.Indor.E@mm is a mass-mailing worm that uses Microsoft Outlook to send a zipped copy of itself to all the contacts in the Microsoft Outlook Address Book. When W32.HLLW.Indor.E@mm runs, it displays a fake message that states "Error in file #1: bad Zip file offset (Error local header signature not found): disk #1 offset: 68669733"

W32.HLLW.Indor.E@mm can also spread through network drives, floppy disks, the KaZaA file-sharing network, and mIRC.

The email has the following characteristics:

Subject: The subject line is one of the following:

• Your verification is required Confirm FFA submission and receive 1000 Credit
• Your Success Is Guranteed!
• You are Losing Income
• WHY NOT CHECK IT OUT? IT'S FREE!
• Free Software, Download it now !!
• Free MP3, OGG/VORBIS Hit Songs !!
• Download DVD Movie Now !! Its Free..!
• URGENT: Please Verify Your Submission Confirm FFA submission !!
• The E.A.S.E System Can Make You Money At Home!!
• Thank You !
• Re: Your Daily Report
• Re: Web Site Report
• WE send the TRAFFIC, YOU make the SALES!
• Thank You For Your Subscription - Confirmation
• Need a quick $100 today?
• Confirmation Email - Required !

Attachment: The attachment, which is a zipped copy of the worm, is one of the following:

• SaveNow.zip
• Report.zip
• Bonus.zip
• FFA.zip
• FreeJoin.zip

This threat is written in the Microsoft Visual Basic programming language.

Protection

• Initial Rapid Release version July 17, 2003
• Latest Rapid Release version July 19, 2008 revision 019
• Initial Daily Certified version July 17, 2003
• Latest Daily Certified version January 20, 2009 revision 048
• Initial Weekly Certified release date July 23, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: High