HOME > VIRUS ALERTS


VIRUS ALERTS

W32.Mimbot Worm

Original issue date: August 17, 2007

It has been observed that a worm known as W32.Mimbot is circulating in the wild .The worm propagates by sending a zipped copy of itself through MSN Instant Messenger with some attractive message which tricks a user to open the attachment
named as PictureAlbum2007.zip .

The worm opens a back door through an IRC server on the ns5 dot landpurchased dot com domain through TCP port 81 on the infected system.This infected system waits for further commands from the remote attacker to download and execute files to perform the
malicious activities.

Aliases : W32.Mimbot [Symantec] , W32/Delf-EXR [Sophos]


The malicious e-mail has the following details:


Message : (any of the following)

  • What do you think of this picure? i feel i look ugly :/
  • Here's a new pic of meBritish Muslims Genocide
  • A few pictures from last week, see if you like em.
  • Have you seen this picure yet?
  • Haha, is that you on that picture?
  • Should i use this picture on msn?
  • What do you think about this?

Attachment:

  • PictureAlbum2007.zip

Upon execution the worm :

  • Creates the following files
    • %Windir%\PictureAlbum2007.zip
    • %System%\prodigys323.dll

  • Creates following registry entry to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{448BAC42-AABD-42C5-A550-826BF4AF4BB3}\
InProcServer32\"(Default)" = "prodigys323.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\ShellServiceObjectDelayLoad\"prodigy1
" = "{448BAC42-AABD-42C5-A550-826BF4AF4BB3}"

  • Opens a backdoor on domain name ns5.landpurchased.com through an
    IRC server through TCP port 81 and waits for the attacker's command to perform
    the malicious activities.

In view of rapid propagation of the worm, users are advised to implement following countermeasures:

  • Keep up-to-date on patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.
  • Exercise caution while opening attachments with instant messages.
  • Do not click on links contained in untrusted instant messages.

References

http://www.symantec.com/enterprise/security_response/writeup.jsp?
docid=2007-081000-2334-99&tabid=1

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003