|Type||Mass mailer worm|
|Place of Origin|
|Infection Length||28,672 bytes|
All3gro arrives in an email with a subject line of "New antivirus tool" and an attachment named "Antivirus.exe". The message body is "Hey, checkout this new antivirus tool which checks your system for viruses".
When All3gro is executed, it copies itself to the system folder as Setup30.exe. It adds this file as the registry value "Kernel Setup" to the local machine run key, ensuring it starts every time Windows does. The worm looks for email addresses stored on the system and uses Messaging Application Processing Interface (MAPI) commands to send emails with copies of itself.
All3gro never became widespread. In spite of the fact that it actually did delete some files associated with certain worms, its claims to being antivirus software were dismissed as simply a social engineering tactic.
Peter Szor. Symantec, W32.Allgro@mm. 2007.02.13
John Leyden. The Register, Virus poses as antivirus utility. 2001.08.21