Email-Worm.Win32.Buchon.c

Class: Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website). In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated. Email-Worms use a range of methods to send infected emails. The most common are: using a direct connection to a SMTP server using the email directory built into the worm’s code using MS Outlook services using Windows MAPI functions. Email-Worms use a number of different sources to find email addresses to which infected emails will be sent: the address book in MS Outlook a WAB address database .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses emails in the inbox (some Email-Worms even “reply” to emails found in the inbox) Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Family: Buchon

No family description

Examples

1AFCBFDD605E41EFA1A54E5B5DD8F5DB
5BE99119F6889DCEFB8913C4975933D3
5C2A5D73EEFE3A7DE5A541A3246AA36A
65473C38B9FA5534B9FCB091B89F97CE
D1245693B4F7BCF8D885A33505DD5991

Tactics and Techniques: Mitre*

* © 2025 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.