W32/Mabutu-A is an email worm and IRC backdoor Trojan.
W32/Mabutu-A copies itself to the Windows folder using a random filename with an EXE extension, generating the random name by searching for a file with a DLL extension in the Windows folder and prepending a random character. W32/Mabutu-A also drops a file with a DLL extension using the same random name generation and the dropped DLL is also detected as W32/Mabutu-A.
W32/Mabutu-A harvests email addresses from files on the host computer with the following extensions:
WAB
HTM
HTML
TXT
W32/Mabutu-A ignores addresses containing the following strings:
kaspers
avp
virus
syman
panda
sopho
bitdef
trendmicro
nai.c
eeye
neohapsis
secur
ntbugtraq
secunia
microsoft
spam
where
admin
webmaster
mailer
mailing
postmaster
someone
somebody
noone
nobody
anyone
nothing
info
abuse
contact
service
support
secur
spam
register
news
subscription
confirm
.edu
W32/Mabutu-A sends itself as an attachment to an email with a ZIP or SCR extension.
W32/Mabutu-A attempts to gather information related to MSN Messenger from the infected computer.
W32/Mabutu-A also attempts to send gathered information to remote users via IRC channels.
W32/Mabutu-A may download a file from a remote location to C:\UPDATE.DLL
W32/Mabutu-A is an email worm and IRC backdoor Trojan.
W32/Mabutu-A copies itself to the Windows folder using a random filename with an EXE extension, generating the random name by searching for a file with a DLL extension in the Windows folder and prepending a random character. W32/Mabutu-A also drops a file with a DLL extension using the same random name generation and the dropped DLL is also detected as W32/Mabutu-A.
W32/Mabutu-A sets the following registry entry so as to run the dropped DLL on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
winupdt = "RUNDLL32.EXE <Dropped Dll Name>,_mainRD"
W32/Mabutu-A creates a log file CFG.DAT in the Windows folder.
W32/Mabutu-A may set the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
enableautodial = 1
W32/Mabutu-A harvests email addresses from files on the host computer with the following extensions:
WAB
HTM
HTML
TXT
W32/Mabutu-A ignores addresses containing the following strings:
kaspers
avp
virus
syman
panda
sopho
bitdef
trendmicro
nai.c
eeye
neohapsis
secur
ntbugtraq
secunia
microsoft
spam
where
admin
webmaster
mailer
mailing
postmaster
someone
somebody
noone
nobody
anyone
nothing
info
abuse
contact
service
support
secur
spam
register
news
subscription
confirm
.edu
W32/Mabutu-A sends itself as an attachment to an email with a ZIP or SCR extension.
W32/Mabutu-A attempts to gather information related to MSN Messenger from the infected computer.
W32/Mabutu-A also attempts to send gathered information to remote users via IRC channels.
W32/Mabutu-A may download a file from a remote location to C:\UPDATE.DLL