Are we protected against W32.Mota.B@mm?

Discussion in 'NOD32 version 2 Forum' started by tempnexus, Dec 14, 2004.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    When W32.Mota.B@mm runs, it does the following:

    1. Copies itself as %Windir%\<random value>.exe (27,136 bytes).

    2. Creates the following files:
    * %Windir%\<random value>.dll (39,936 bytes)
    * %WinDir%\CFG.DAT

    Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and creates the files in that location.

    3. Adds the value:

    "winupdt"="RUNDLL32.EXE %Windir%\[random value].dll,_mainRD"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you restart Windows.

    4. Connects to one of following IRC servers using port 6667:
    * chat1.voila.fr
    * austin.tx.us.undernet.org
    * mesa.az.us.undernet.org
    * surrey.uk.eu.undernet.org
    * stockholm.se.eu.undernet.org
    * moscow.ru.eu.undernet.org
    * haarlem.nl.eu.undernet.org
    * amsterdam.nl.eu.undernet.org
    * amsterdam2.nl.eu.undernet.org
    * quebec.qu.ca.undernet.orggraz2.at.eu.undernet.org
    * toronto.on.ca.undernet.org
    * montreal.qu.ca.undernet.org
    * vancouver.bc.ca.undernet.org
    * graz.at.eu.undernet.org
    * london.uk.eu.undernet.org
    * brussels.be.eu.undernet.org
    * diemen.nl.eu.undernet.org
    * oslo.no.eu.undernet.org
    * flanders.be.eu.undernet.org
    * lulea.se.eu.undernet.org
    * los-angeles.ca.us.undernet.org
    * phoenix.az.us.undernet.org
    * washington.dc.us.undernet.org
    * atlanta.ga.us.undernet.org
    * manhattan.ks.us.undernet.org
    * baltimore.md.us.undernet.org
    * lasvegas.nv.us.undernet.org
    * newyork.ny.us.undernet.org
    * dallas.tx.us.undernet.org
    * saltlake.ut.us.undernet.org
    * arlington.va.us.undernet.org
    * auckland.nz.undernet.org
    * ann-arbor.mi.us.undernet.org
    * newbrunswick.nj.us.undernet.org
    * plano.tx.us.undernet.org
    * mclean.va.us.undernet.org
    * caen.fr.eu.undernet.org

    5. Gathers the email addresses from the Windows Address Book and from the files that have file names containing any of the following strings:
    * HTM
    * HTML
    * WAB
    * TXT

    6. Uses its own SMTP engine to send itself to the email addresses that it finds.

    The email has the following characteristics:

    From: The sender of the email may be spoofed.

    Subject: The subject line may be one of the following:
    o Hi
    o Hello
    o Important
    o I'm in love
    o Sex
    o Wet girls
    o I'm nude
    o Fetishes
    o gutted
    o Ok ****

    Attachment: The attachment may have one of the following extensions:
    + britney.jpg
    + jenifer.jpg
    + photo.jpg
    + creme_de_gruyere.jpg
    + details
    + document
    + message

    followed with .scr or .txt.

    The attachment may have multiple spaces.

    For example, the attachment can be:

    creme_de_gruyere.jpg(multiple spaces).SCR

    The worm may also send a .zip file as the attachment.


    recommendations
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    Yes.

    Also known as:

    NOD32 - v.1.826 (20040729)
    Virus signature database updates:
    Win32/Adex.A, Win32/Banito.K, Win32/KillAV.DA, Win32/Mabutu.B, Win32/Rbot.HO, Win32/StartPage.IN1, Win32/TrojanProxy.XMaib.A
     
  3. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Symantec is the only company creating confusion with this virus as they are the only ones calling it Win32.Mota.B, everyone else is calling it Mabutu, Frisk calls it Mabuto.

    I-Worm.Mabutu.a

    Aliases
    I-Worm.Mabutu.a (Kaspersky Lab) is also known as: W32/Mabutu.a@MM (McAfee), W32.Mota.B@mm (Symantec), Win32.HLLM.Mabutu (Doctor Web), W32/Mabutu-A (Sophos), Win32/Mabutu.A@mm (RAV), Worm/Mabutu.A (H+BEDV), W32/Mabuto.B@mm (FRISK), Win32:Mabutu-Dll (ALWIL), I-Worm/Mabutu.A (Grisoft), Win32.Mabutu.B@mm (SOFTWIN), Worm.Mabutu.A.3 (ClamAV), W32/Mabutu.A.worm (Panda), Win32/Mabutu.A (Eset)
    Behavior Email Worm
    Technical Details

    This worm spreads via the Internet as an attachment to infected messages. It sends messages to all email addresses harvested from the victim computer.

    The worm itself is a Windows PE EXE file approximately 33KB in size, packed using UPX. The unpacked file is approximately 65KB in size.

    The worm contains a backdoor, which receives commands via IRC channels.
    Installation

    During installation the worm copies itself as "<random name>.exe" to the Windows root directory, for example:

    C:\%windir%\<random name>.exe

    It also creates the following files in the Windows root directory:

    C:\%windir%\<random name>.dll
    C:\%windir%\cfg.dat

    Then the worm registers the .dll file it has created in the system registry as a key to enable auto-run:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    'winupdt' = "RUNDLL32.EXE %WinDir%\<random name>.dll"

    Propagation via email

    The worm scans MS Windows address books for email addresses, and all files with the following extensions:

    .htm
    .html
    .txt
    .wab

    Messages are not sent to addresses containing the following text strings:

    abuse
    admin
    anyone
    Avp
    bitdef
    confirm
    contact
    eeye
    info
    kaspers
    mailer
    mailing
    microsoft
    nai.c
    neohapsis
    news
    nobody
    noone
    nothing
    ntbugtraq
    panda
    postmaster
    register
    secunia
    secur
    service
    somebody
    someone
    sopho
    spam
    subscription
    support
    syman
    trendmicro
    virus
    webmaster
    where

    The worm establishes a direct connection to the recipient's SMTP server in order to send messages.
    Infected messages
    Message subject (chosen from the list below):

    britney.jpg
    creme_de_gruyere.jpg
    details
    document
    Fetishes
    gutted
    Hello
    Hi
    I'm in love
    I'm nude
    Important
    jenifer.jpg
    message
    Ok ****
    photo.jpg
    Sex
    Wet girls

    The attachment may have one or more extensions from the following list:

    .scr
    .txt
    .zip

    Remote Administration

    Mabutu.a makes it possible for a malicious remote user to receive information harvested from the victim machine via IRC channels.

    The worm opens TCP port 6667 on the victim machine in order to establish a connection to one of the following IRC servers:

    amsterdam.nl.eu.undernet.org
    amsterdam2.nl.eu.undernet.org
    ann-arbor.mi.us.undernet.org
    arlington.va.us.undernet.org
    atlanta.ga.us.undernet.org
    auckland.nz.undernet.org
    austin.tx.us.undernet.org
    baltimore.md.us.undernet.org
    brussels.be.eu.undernet.org
    caen.fr.eu.undernet.org
    chat1.voila.fr
    dallas.tx.us.undernet.org
    diemen.nl.eu.undernet.org
    flanders.be.eu.undernet.org
    graz.at.eu.undernet.org
    haarlem.nl.eu.undernet.org
    lasvegas.nv.us.undernet.org
    london.uk.eu.undernet.org
    los-angeles.ca.us.undernet.org
    lulea.se.eu.undernet.org
    manhattan.ks.us.undernet.org
    mclean.va.us.undernet.org
    mesa.az.us.undernet.org
    montreal.qu.ca.undernet.org
    moscow.ru.eu.undernet.org
    newbrunswick.nj.us.undernet.org
    newyork.ny.us.undernet.org
    oslo.no.eu.undernet.org
    phoenix.az.us.undernet.org
    plano.tx.us.undernet.org
    quebec.qu.ca.undernet.orggraz2.at.eu.undernet.org
    saltlake.ut.us.undernet.org
    stockholm.se.eu.undernet.org
    surrey.uk.eu.undernet.org
    toronto.on.ca.undernet.org
    vancouver.bc.ca.undernet.org
    washington.dc.us.undernet.org

    Nod has detected it since 7/28/04 1.825

    NOD32 - v.1.825 (2004072:cool:
    Virus signature database updates:
    .....Win32/Katien.NAA, Win32/KillFiles.FC, Win32/KillProc.D, Win32/Krepper.A, Win32/Lixy.H, Win32/Loony.O, Win32/Mabutu.A, ....
     
    Last edited: Dec 14, 2004
  4. Gauthreau

    Gauthreau Guest

    If it is indeed Mabutu (sp?), then yes we are protected. NOD has been picking that up on my machine for some time now.

    Neil
     
Thread Status:
Not open for further replies.