high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | April 2007 (4.16) |
| Protection available since | 1 March 2007 06:46:09 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Mabutu-B is an email worm for the Windows platform.
W32/Mabutu-B copies itself to the Windows folder using a random filename with an EXE extension, generating the random name by searching for a file with a DLL extension in the Windows folder and prepending a random character. W32/Mabutu-B also drops a file with a DLL extension using the same random name generation and the dropped DLL is also detected as W32/Mabutu-B.
W32/Mabutu-B sets the following registry entry so as to run the dropped DLL on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winupdt
"RUNDLL32.EXE <Dropped Dll Name>,_mainRD"
W32/Mabutu-B creates a log file CFG.DAT in the Windows folder and may create another log file with a DAT extension and a random filename generated in the same way as the others.
W32/Mabutu-B may set the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
enableautodial
0
W32/Mabutu-B harvests email addresses from files on the host computer with the following extensions:
WAB
HTM
HTML
TXT
W32/Mabutu-B also attempts to harvest addresses from MSN Messenger.
W32/Mabutu-B sends itself as an attachment to an email with a ZIP or SCR attachment.
W32/Mabutu-B attempts to gather information from the infected computer and send it to remote users via IRC channels.
W32/Mabutu-B may download and execute a file from a remote location to C:\UPDATE.DLL
|
