W32/Myfip-C is a worm from the W32/Myfip family that spreads using network shares that are either unprotected or protected only by weak passwords.
W32/Myfip-C is a worm from the W32/Myfip family that spreads using network shares that are either unprotected or protected only by weak passwords.
The worm copies itself to the file kernel32dll.exe in the Windows system folder on the local machine. Copies on network shares can be called worm.txt.exe or dfsvc.exe.
W32/Myfip-C may also create files named temp.exe (detected by Sophos as W32/Myfip-A) and temp.txt (harmless).
The worm attempts to register itself as a service process with the ServiceName and DisplayName "Distributed Link Tracking Extensions".
W32/Myfip-C creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Distributed File System = "kernel32dll.exe"
W32/Myfip-C builds a list of all filenames whose path does not contain any of the following strings:
Winnt
Windows
I386
Program Files
All Users
Recycler
System Volume Information
Inetpub
Documents and Settings
Wutemp
My Music
The worm then sends the contents of each file to a preconfigured IP address.