WORM_FANBOT.C - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_FANBOT.C

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Email-Worm.Win32.Fanbot.j (Kaspersky), W32/Mytob.gen@MM (McAfee), W32.Fanbot.A@mm (Symantec), Worm/Mytob.KU (Avira), W32/Fanbot-H (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Infection Channel 1 : Propagates via email

Infection Channel 2 : Propagates via peer-to-peer networks

Infection Channel 3 : Propagates via software vulnerabilities

Description:

This worm spreads copies of itself as an attachment to email messages that it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine. Hence, it does not need other applications, such as Microsoft Outlook, to send out email messages.

Details of the email message it sends out are available at the Technical Details section.

It gathers email addresses from the user Windows Address Book (WAB). It may also generate email addresses by combining several names with a domain name, which it copies from previously harvested email addresses. By doing the said actions, this worm is able to effectively propagate and consume bandwidth.

In addition, this worm uses peer-to-peer applications to propagate. It drops copies of itself in peer-to-peer shares using interesting file names to entice other users to download a copy of this worm.

Moreover, it takes advantage of the Windows Plug and Play vulnerability to propagate across networks. For more information about the said Windows vulnerability, refer to the following Microsoft Web page:

Microsoft Security Bulletin MS05-039

Note that the propagation routine via Windows Plug and Play vulnerability works only on Windows NT and 2000, because the Microsoft Windows Plug and Play vulnerability has inherent characteristics that prevent this worm from exploiting it on Windows XP and Server 2003.

This worm creates registry entries depending on the affected system's running platform to ensure its automatic execution at every system startup. It also modifies a registry entry to disable Internet Connection Sharing (ICS) on affected systems. Disabling ICS prevents users from connecting to the Internet.

It is capable of preventing users from accessing several antivirus and security Web sites by modifying the HOSTS file. It is also capable of terminating several processes on the affected system.

The said routines make it difficult for affected users to detect and remove this worm from the system. They also leave the affected system vulnerable to further attacks from other malware programs.

It has backdoor capabilities. It opens a random port, which allows a remote user to perform malicious commands on the affected machine, thus compromising system security.

Upon execution, it displays the following error message:

For additional information about this threat, see:
Solution
Technical Details

Description created: Oct. 18, 2005 12:46:16 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.