W32/Mabutu-A

Please follow the instructions for removing worms.

• Delete the log file CFG.DAT in the Windows folder.
• Change any data that may have become compromised.

The HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\enableautodial = 1 registry entry enables autodial. To reinstate disabling, change the '1' to '0'.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
winupdt = "RUNDLL32.EXE <Dropped Dll Name>,_mainRD"

and delete it if it exists.

Close the registry editor.

W32/Mabutu-A is an email worm and IRC backdoor Trojan.

W32/Mabutu-A copies itself to the Windows folder using a random filename with an EXE extension, generating the random name by searching for a file with a DLL extension in the Windows folder and prepending a random character. W32/Mabutu-A also drops a file with a DLL extension using the same random name generation and the dropped DLL is also detected as W32/Mabutu-A.

W32/Mabutu-A harvests email addresses from files on the host computer with the following extensions:

WAB
HTM
HTML
TXT

W32/Mabutu-A ignores addresses containing the following strings:

kaspers
avp
virus
syman
panda
sopho
bitdef
trendmicro
nai.c
eeye
neohapsis
secur
ntbugtraq
secunia
microsoft
spam
where
admin
webmaster
mailer
mailing
postmaster
someone
somebody
noone
nobody
anyone
nothing
info
abuse
contact
service
support
secur
spam
register
news
subscription
confirm
.edu

W32/Mabutu-A sends itself as an attachment to an email with a ZIP or SCR extension.

W32/Mabutu-A attempts to gather information related to MSN Messenger from the infected computer.

W32/Mabutu-A also attempts to send gathered information to remote users via IRC channels.

W32/Mabutu-A may download a file from a remote location to C:\UPDATE.DLL W32/Mabutu-A is an email worm and IRC backdoor Trojan.

W32/Mabutu-A copies itself to the Windows folder using a random filename with an EXE extension, generating the random name by searching for a file with a DLL extension in the Windows folder and prepending a random character. W32/Mabutu-A also drops a file with a DLL extension using the same random name generation and the dropped DLL is also detected as W32/Mabutu-A.

W32/Mabutu-A sets the following registry entry so as to run the dropped DLL on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
winupdt = "RUNDLL32.EXE <Dropped Dll Name>,_mainRD"

W32/Mabutu-A creates a log file CFG.DAT in the Windows folder.

W32/Mabutu-A may set the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
enableautodial = 1

W32/Mabutu-A harvests email addresses from files on the host computer with the following extensions:

WAB
HTM
HTML
TXT

W32/Mabutu-A ignores addresses containing the following strings:

kaspers
avp
virus
syman
panda
sopho
bitdef
trendmicro
nai.c
eeye
neohapsis
secur
ntbugtraq
secunia
microsoft
spam
where
admin
webmaster
mailer
mailing
postmaster
someone
somebody
noone
nobody
anyone
nothing
info
abuse
contact
service
support
secur
spam
register
news
subscription
confirm
.edu

W32/Mabutu-A sends itself as an attachment to an email with a ZIP or SCR extension.

W32/Mabutu-A attempts to gather information related to MSN Messenger from the infected computer.

W32/Mabutu-A also attempts to send gathered information to remote users via IRC channels.

W32/Mabutu-A may download a file from a remote location to C:\UPDATE.DLL