Newly Discovered Viruses

parth.paul

Newbie
[OP]
Regulars
Aug 15, 2006
96
0
Virus Profile: W32/Toyep@MMRisk Assessment - Home Users:Low - Corporate Users:LowDate Discovered:8/16/2006Date Added:8/16/2006Origin:N/ALength:49,152 bytesType:VirusSubType:E-mail wormDAT Required:4831
Virus Characteristics
When W32/Toyep@MM is run, the virus executes NOTEPAD.EXE to display the following message:

[*]'this is the joke'
[/list]A file is written to to the users temp folder (hack.txt) which is 17 bytes in length and just contains the message above.



The virus copies itself to the %SYSDIR% folder as MFCAPI32U.EXE

The following registry key is created to load the virus at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "mfcapi32u" = %SYSDIR%\mfcapi32u.exe



In addition to this it will attempt to download a remote EXE file (WIN32.EXE) from the following website:

[*]http://traf[removed].biz/[removed]win32.exe
[/list]

Indications of Infection
Presence of the files and registries keys mentioned in the characteristics section.




Method of Infection
W32/Toyep@MM uses it's own SMTP engine to send email messages. It trawls the infected system for files which contain email addresses. If any file is found to contain an email address it will send itslef to that address in a ZIP archive.

The virus generates the email as follows:



From: (Spoofed email sender)

Subject : Uses any one of the following :

[*]Thank you for your purchase in Bolero!
[*]Thank you for your registration!
[*]Pay for your credits!
[*]It's important!!! You still have not paid a fine!
[*]Tank you for your charity
[/list]Body: Uses any one of the following:

[*]Hello!
Thank you for your purchase in our Internet-shop. We always appreciate to meet you there and would like to inform you that money was successfully transferred from your credit card to our account. Further information you can find enclosed.
Sincerely yours, Bolero Inetshop Administration
[*]Hello!
Thank you for your rewrite in our mail server. The confirmation of you new login and password you can find enclosed.
Sincerely yours, Mail Administration Service / Mail Support Service
[*]Hello!
We have to remain you that your credit payment period will be expiring next week. If you will not make your payment till that time we will have to withdraw your savings from your bank account.
All details you can find enclosed.
USA Credit Group.
[*]Hello!
We remain you that you still have not paid a parking violation fine. You should to pay it till the next week or we will have to reach trial the deal.
We are sending you herewith all necessary documents.
Sincerely yours, Regional Police Department Management / Administration
[*]Hello!
The St. Patrick Home thanks you for your donation. We are very obliged for your assistance with our St. Patrick's Found and acknowledge the receipt of your transfer for its account. Further to our letter we are sending you full estimate of that transfer.
Sincerely yours, St. Patrick Home's Administration
[/list]
Attachment: Arrives in a Zip archive using any of the following filenames:

[*]message.zip
[*]data.zip
[*]logfile.zip
[/list]
 

parth.paul

Newbie
[OP]
Regulars
Aug 15, 2006
96
0
Guys if you have anything to share regarding the viruses then you are welcome.
 


Similar threads