Win32.Mabutu.A@mm

( W32.Mota.A@mm )

SYMPTOMS:

Presence of files *twain.exe *twain.dll ( where * is one or more random letters, so the files might be qweatwain.dll, qtwain.exe etc.),
cfg.dat and, possibly, ??twain.dat ( where ?? are two random letters ) in %WinDir%.

Presence of registry key:
HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run\winupd = Rundll32.exe %WinDir%\*twain.dll, _mainRD.
Again, the * stands for one or more random letters.

Open IRC connections ( on port 6667 ) to the following servers:

chat1.voila.fr
austin.tx.us.undernet.org
mesa.az.us.undernet.org
surrey.uk.eu.undernet.org
stockholm.se.eu.undernet.org
moscow.ru.eu.undernet.org
haarlem.nl.eu.undernet.org
amsterdam.nl.eu.undernet.org
amsterdam2.nl.eu.undernet.org
quebec.qu.ca.undernet.orggraz2.at.eu.undernet.org
toronto.on.ca.undernet.org
montreal.qu.ca.undernet.org
vancouver.bc.ca.undernet.org
graz.at.eu.undernet.org
london.uk.eu.undernet.org
brussels.be.eu.undernet.org
diemen.nl.eu.undernet.org
oslo.no.eu.undernet.org
flanders.be.eu.undernet.org
lulea.se.eu.undernet.org
los-angeles.ca.us.undernet.org
phoenix.az.us.undernet.org
washington.dc.us.undernet.org
atlanta.ga.us.undernet.org
manhattan.ks.us.undernet.org
baltimore.md.us.undernet.org
lasvegas.nv.us.undernet.org
newyork.ny.us.undernet.org
dallas.tx.us.undernet.org
saltlake.ut.us.undernet.org
arlington.va.us.undernet.org
auckland.nz.undernet.org
ann-arbor.mi.us.undernet.org
newbrunswick.nj.us.undernet.org
plano.tx.us.undernet.org
mclean.va.us.undernet.org
caen.fr.eu.undernet.org

TECHNICAL DESCRIPTION:

The worm comes by mail, with the following characteristics:

The message subject may be one of:

Sex
I'm in love
Important
Hello
Wet girls
I'm nude
Fetishes

The message sender address is spoofed.


The message has an attachment named :

message
document
details
creme_de_gruyere
gutted
photo
jennifer
britney
with extension SCR or ZIP ( in case of an archived copy ).

It can also have a double extension, .jpg or .txt followed by a
long sequence of spaces, and then .scr. ( this behaviour occurs when the mail is send in an archive ).



Once executed, the worm copies itself to the %WinDir% directory with a random name, composed of random letters
followed by "TWAIN.EXE" ( e.g. ATWAIN.EXE, QWETWAIN.EXE etc. ). It also drops the main worm file, a dll with the name composed in
the same manner (e.g. UTWAIN.DLL ), and then it starts it using rundll.exe .

It checks for presence in memory by means of the named mutex.
It harvests email addresses from the infected computer, looking in the WAB, TXT, HTML and HTM files.


The worm creates the following registry key so as to run each time Window starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\winupd = Rundll32.exe %WinDir%\*twain.dll, _mainRD.

Removal instructions:

Manual removal:
Identify and kill the process ( this is a bit tricky, since the process is rundll32.exe, that is also used by a lot
of clean applications, so chances are that there is more than one running at the same time ).
In case you are unsure which process it is, remove the registry key, reboot the system an proceed to delete the
*twain.exe and *twain.dll files by hand ( in case of multiple infections on the same machine, there may by multiple files ).


Automatic removal: let BitDefender disinfect infected files.

ANALYZED BY:

Alexandru Carp,BitDefender Virus Researcher