w32/toyep@mm, w32.toyep.a@mm, worm_toypet.a, w32/toyep-a, email-worm.win32.toypet.a
tipo: gusano
tama?o: 49,152 bytes
origen: internet
destructivo: no en la calle (in the wild): si detección y eliminación: the hacker 5.9 y 6.0 al 17/08/2006.
descripción:
w32/toyep .a@mm , es un gusano que se difunde a trav?s de envi? masivo de e-mail, busca direcciones de e-mail dentro de archivos con las siguientes extensiones .adb, .asa, .asc, .asm, .asp, .cfg, .cgi, .con, .csp, .dbx, .dlt, .dwt, .edm, .eml, .hta, .htc, .htm, .inc, .jsp, .jst, .lbi, .log, .ods, .oft, .php, .pl, .mbx, .mdx, .mht, .mmf, .msg, .nch, .rdf, .rss, .sht, .ssi, .stm, .tbb, .tbi, .tpl, .txt, .uin, .vbp, .vbs, .wab, .wml, .wsh, .xht, .xls, .xml, .xsd y .xst. para luego enviarse a si mismo a estos.
caracter?sticas del mensaje de email:
asunto: [variable uno de los siguientes]
thank you for your purchase in bolero! thank you for your registration! pay for your credits! its important!!! you still have not paid a fine! tank you for your charity cuerpo: [variable uno de los siguientes]
hello!
thank you for your purchase in our internet-shop. we always appreciate to meet you there and would like to inform you that money was successfully transferred from your credit card to our account. further information you can find enclosed.
sincerely yours, bolero inetshop administration
-----------------------------
hello!
thank you for your rewrite in our mail server. the confirmation of you new login and password you can find enclosed.
sincerely yours, mail administration service / mail support service
----------------------------
hello!
we have to remain you that your credit payment period will be expiring next week. if you will not make your payment till that time we will have to withdraw your savings from your bank account.
all details you can find enclosed.
usa credit group.
----------------------------
hello!
we remain you that you still have not paid a parking violation fine. you should to pay it till the next week or we will have to reach trial the deal.
we are sending you herewith all necessary documents.
sincerely yours, regional police department management / administration
----------------------------
hello!
the st. patrick home thanks you for your donation. we are very obliged for your assistance with our st. patricks found and acknowledge the receipt of your transfer for its account. further to our letter we are sending you full estimate of that transfer.
sincerely yours, st. patrick homes administration
archivo adjunto: [variable uno de los siguientes]
message.zip data.zip logfile.zip ----------------------------
cuando el gusano se ejecuta se copia a si mismo dentro de:
system \mfcapi32u.exe nota:
- system representa la carpeta system dentro de windows (ej. c:\windows\system, c:\winnt\system32 ).
seguidamente crea un mutex de nombre peyotcodedbyhalt, de esta manera permite que solo una instancia del gusano se ejecute en memoria.
adem?s crea las siguientes entradas en el registro para poder ejecutarse en cada inicio del sistema:
hkey_local_machine\software\microsoft\currentversion\run
mfcapi32u= system \mfcapi32u.exe
seguidamente el gusano crea el archivo hack.txt dentro de la carpeta temp , para luego abrirlo utilizando la aplicaci?n notepad.exe [block de notas] y visualizar el siguiente texto:
this is the joke
finalmente descarga un archivo desde la siguiente direcci?n url, dicho archivo es detectado y eliminado como trojan/downloader.tibs.hh
http://traffall.biz/
|
