Are we protected against W32.Mota.B@mm?

When W32.Mota.B@mm runs, it does the following:

1. Copies itself as %Windir%\<random value>.exe (27,136 bytes).

2. Creates the following files:
* %Windir%\<random value>.dll (39,936 bytes)
* %WinDir%\CFG.DAT

Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and creates the files in that location.

3. Adds the value:

"winupdt"="RUNDLL32.EXE %Windir%\[random value].dll,_mainRD"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you restart Windows.

4. Connects to one of following IRC servers using port 6667:
* chat1.voila.fr
* austin.tx.us.undernet.org
* mesa.az.us.undernet.org
* surrey.uk.eu.undernet.org
* stockholm.se.eu.undernet.org
* moscow.ru.eu.undernet.org
* haarlem.nl.eu.undernet.org
* amsterdam.nl.eu.undernet.org
* amsterdam2.nl.eu.undernet.org
* quebec.qu.ca.undernet.orggraz2.at.eu.undernet.org
* toronto.on.ca.undernet.org
* montreal.qu.ca.undernet.org
* vancouver.bc.ca.undernet.org
* graz.at.eu.undernet.org
* london.uk.eu.undernet.org
* brussels.be.eu.undernet.org
* diemen.nl.eu.undernet.org
* oslo.no.eu.undernet.org
* flanders.be.eu.undernet.org
* lulea.se.eu.undernet.org
* los-angeles.ca.us.undernet.org
* phoenix.az.us.undernet.org
* washington.dc.us.undernet.org
* atlanta.ga.us.undernet.org
* manhattan.ks.us.undernet.org
* baltimore.md.us.undernet.org
* lasvegas.nv.us.undernet.org
* newyork.ny.us.undernet.org
* dallas.tx.us.undernet.org
* saltlake.ut.us.undernet.org
* arlington.va.us.undernet.org
* auckland.nz.undernet.org
* ann-arbor.mi.us.undernet.org
* newbrunswick.nj.us.undernet.org
* plano.tx.us.undernet.org
* mclean.va.us.undernet.org
* caen.fr.eu.undernet.org

5. Gathers the email addresses from the Windows Address Book and from the files that have file names containing any of the following strings:
* HTM
* HTML
* WAB
* TXT

6. Uses its own SMTP engine to send itself to the email addresses that it finds.

The email has the following characteristics:

From: The sender of the email may be spoofed.

Subject: The subject line may be one of the following:
o Hi
o Hello
o Important
o I'm in love
o Sex
o Wet girls
o I'm nude
o Fetishes
o gutted
o Ok ****

Attachment: The attachment may have one of the following extensions:
+ britney.jpg
+ jenifer.jpg
+ photo.jpg
+ creme_de_gruyere.jpg
+ details
+ document
+ message

followed with .scr or .txt.

The attachment may have multiple spaces.

For example, the attachment can be:

creme_de_gruyere.jpg(multiple spaces).SCR

The worm may also send a .zip file as the attachment.


recommendations

 

Symantec is the only company creating confusion with this virus as they are the only ones calling it Win32.Mota.B, everyone else is calling it Mabutu, Frisk calls it Mabuto.

I-Worm.Mabutu.a

Aliases
I-Worm.Mabutu.a (Kaspersky Lab) is also known as: W32/Mabutu.a@MM (McAfee), W32.Mota.B@mm (Symantec), Win32.HLLM.Mabutu (Doctor Web), W32/Mabutu-A (Sophos), Win32/Mabutu.A@mm (RAV), Worm/Mabutu.A (H+BEDV), W32/Mabuto.B@mm (FRISK), Win32:Mabutu-Dll (ALWIL), I-Worm/Mabutu.A (Grisoft), Win32.Mabutu.B@mm (SOFTWIN), Worm.Mabutu.A.3 (ClamAV), W32/Mabutu.A.worm (Panda), Win32/Mabutu.A (Eset)
Behavior Email Worm
Technical Details

This worm spreads via the Internet as an attachment to infected messages. It sends messages to all email addresses harvested from the victim computer.

The worm itself is a Windows PE EXE file approximately 33KB in size, packed using UPX. The unpacked file is approximately 65KB in size.

The worm contains a backdoor, which receives commands via IRC channels.
Installation

During installation the worm copies itself as "<random name>.exe" to the Windows root directory, for example:

C:\%windir%\<random name>.exe

It also creates the following files in the Windows root directory:

C:\%windir%\<random name>.dll
C:\%windir%\cfg.dat

Then the worm registers the .dll file it has created in the system registry as a key to enable auto-run:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
'winupdt' = "RUNDLL32.EXE %WinDir%\<random name>.dll"

Propagation via email

The worm scans MS Windows address books for email addresses, and all files with the following extensions:

.htm
.html
.txt
.wab

Messages are not sent to addresses containing the following text strings:

abuse
admin
anyone
Avp
bitdef
confirm
contact
eeye
info
kaspers
mailer
mailing
microsoft
nai.c
neohapsis
news
nobody
noone
nothing
ntbugtraq
panda
postmaster
register
secunia
secur
service
somebody
someone
sopho
spam
subscription
support
syman
trendmicro
virus
webmaster
where

The worm establishes a direct connection to the recipient's SMTP server in order to send messages.
Infected messages
Message subject (chosen from the list below):

britney.jpg
creme_de_gruyere.jpg
details
document
Fetishes
gutted
Hello
Hi
I'm in love
I'm nude
Important
jenifer.jpg
message
Ok ****
photo.jpg
Sex
Wet girls

The attachment may have one or more extensions from the following list:

.scr
.txt
.zip

Remote Administration

Mabutu.a makes it possible for a malicious remote user to receive information harvested from the victim machine via IRC channels.

The worm opens TCP port 6667 on the victim machine in order to establish a connection to one of the following IRC servers:

amsterdam.nl.eu.undernet.org
amsterdam2.nl.eu.undernet.org
ann-arbor.mi.us.undernet.org
arlington.va.us.undernet.org
atlanta.ga.us.undernet.org
auckland.nz.undernet.org
austin.tx.us.undernet.org
baltimore.md.us.undernet.org
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
chat1.voila.fr
dallas.tx.us.undernet.org
diemen.nl.eu.undernet.org
flanders.be.eu.undernet.org
graz.at.eu.undernet.org
haarlem.nl.eu.undernet.org
lasvegas.nv.us.undernet.org
london.uk.eu.undernet.org
los-angeles.ca.us.undernet.org
lulea.se.eu.undernet.org
manhattan.ks.us.undernet.org
mclean.va.us.undernet.org
mesa.az.us.undernet.org
montreal.qu.ca.undernet.org
moscow.ru.eu.undernet.org
newbrunswick.nj.us.undernet.org
newyork.ny.us.undernet.org
oslo.no.eu.undernet.org
phoenix.az.us.undernet.org
plano.tx.us.undernet.org
quebec.qu.ca.undernet.orggraz2.at.eu.undernet.org
saltlake.ut.us.undernet.org
stockholm.se.eu.undernet.org
surrey.uk.eu.undernet.org
toronto.on.ca.undernet.org
vancouver.bc.ca.undernet.org
washington.dc.us.undernet.org

Nod has detected it since 7/28/04 1.825

NOD32 - v.1.825 (2004072
Virus signature database updates:
.....Win32/Katien.NAA, Win32/KillFiles.FC, Win32/KillProc.D, Win32/Krepper.A, Win32/Lixy.H, Win32/Loony.O, Win32/Mabutu.A, ....

 

If it is indeed Mabutu (sp?), then yes we are protected. NOD has been picking that up on my machine for some time now.

Neil