Home / malware Win32.Mabutu.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Mabutu.A@mm is also known as W32.Mota.A@mm.
Explanation :
The worm comes by mail, with the following characteristics:
The message subject may be one of:
Sex
I'm in love
Important
Hello
Wet girls
I'm nude
Fetishes
The message sender address is spoofed.
The message has an attachment named :
message
document
details
creme_de_gruyere
gutted
photo
jennifer
britney
with extension SCR or ZIP ( in case of an archived copy ).
It can also have a double extension, .jpg or .txt followed by a
long sequence of spaces, and then .scr. ( this behaviour occurs when the mail is send in an archive ).
Once executed, the worm copies itself to the %WinDir% directory with a random name, composed of random letters
followed by "TWAIN.EXE" ( e.g. ATWAIN.EXE, QWETWAIN.EXE etc. ). It also drops the main worm file, a dll with the name composed in
the same manner (e.g. UTWAIN.DLL ), and then it starts it using rundll.exe .
It checks for presence in memory by means of the named mutex.
It harvests email addresses from the infected computer, looking in the WAB, TXT, HTML and HTM files.
The worm creates the following registry key so as to run each time Window starts:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunwinupd = Rundll32.exe %WinDir%*twain.dll, _mainRD.Last update 21 November 2011
