Virus mabutu
Mabutu is mass-mailing virus.
The virus installs itself (both EXE and DLL) into the Windows directory on the victim machine. The filenames it uses are constructed from a random letter followed by 'TWAIN' (with a .DLL or .EXE extension). For example:
%WinDir%\HTWAIN.EXE
%WinDir%\HTWAIN.DLL
%WinDir%\CFG.DAT
%WinDir%\RHTWAIN.DAT (first two letters variable)
Note: %Windir% is a variable: The worm locates the Windows installation folder (by default,
this is C:\Windows or C:\Winnt) and copies itself to that location.
Mabutu adds the value:
"winupd" = "RUNDLL32.EXE %WinDir%\HTWAIN.DLL, _mainRD"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
The virus emails itself to target addresses harvested from the Windows Address Book and from the files.
© Copyright 2000-2008 AnVir Software. All Rights Reserved.
