Virus:Worm/Myfip.I.1
Date discovered:21/07/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:68.608 Bytes
MD5 checksum:872b439292106a22e91983cb3c860c4d
VDF version:6.30.0.62

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Myfip.T
   •  Mcafee: W32/Myfip.worm.q
   •  Kaspersky: Worm.Win32.Myfip.m
   •  TrendMicro: WORM_MYFIP.M
   •  Grisoft: Worm/Myfip.N
   •  VirusBuster: Worm.Myfip.S


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\kernel32dll.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Distributed File System"="kernel32dll.exe"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • ipc
   • Admin\system32


It uses the following login information in order to gain access to the remote machine:

– The following list of passwords:
   • Administrator; administrator; admin; Admin; administrator123;
      admin123456; administrator123456; administratorpasswd; adminpasswd;
      adminpwd; adminpasswd; password; Password; 12345; 123456; 1234567;
      12345678; 123456789; 87654321; 7654321; 654321; 54321; 000000; passwd;
      Passwd; 00000000; 007007; !@; $%; !@; $%; !@; $%; !@; $%; daemon;
      nobody; noaccess; freedom; 1a2b3c; 1p2o3i; 1q2w3e; 1qw23e; 1sanjose;
      4runner; 888888; 99999999; a12345; a1b2c3; a1b2c3d4; aaaaaa; abc123;
      abcd1234; abcde; abcdef; abcdefg; access; action; active; mypc123;
      admin123; pw123; mypass; mypass123; asdfg; asdfgh; asdfghjk; asdfjkl;
      asdfjkl;; hacker; zxcvb; zxcvbnm; test1; test123; telecom; superman;
      support; super; ssssss; spring; sprite; spirit; playboy; planet;
      pizza; pentium; newpass; morris; loveyou; storm; fuckyou; warez;
      guest; shotgun; access; parol; upload; qwerty; ytrewq; share;


 Backdoor The following port is opened:

%executed file%.exe on TCP port 34330 in order to provide an FTP server.

 Injection – It injects itself into a process.

    Process name:
   • explorer.exe

   If the malware fails, it continues running as a process.

 Miscellaneous Mutex:
It creates the following Mutex:
   • Meteo/EA[DCA]

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PE Pack 1.0

Description inserted by Catalin Jora on Wednesday, August 3, 2005
Description updated by Catalin Jora on Friday, August 19, 2005

Back . . . .