McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

-- Update October 27, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.com/2004/10/27/myflip_virus/

--

This worm is detected as W32/Myfip.worm in the 4401 DATS.  Accurate detection will be included as W32/Myfip.worm.g in the 4402 DATS.

This detection is for a worm that is intended to steal data from victim machines. It bears the following characteristics:

• it propagates by copying itself to poorly secured network shares (attempts to log on as administrator with various weak passwords)
• is intended to upload files from the victim machine to a remote FTP server

Share Propagation

The worm enumerates network shares, in order to copy itself to accessible Admin$ and IPC$ shares. It attempts to connect to remote machines as 'Administrator' using one of several passwords it stores in its body:

• !@#$%
• !@#$%^&*
• !@#$%^&
• !@#$%^
• ###
• ***
• *
• 00000000
• 000000
• 0007
• 007007
• 007
• 02460249
• 111
• 123412345
• 123456789
• 12345678
• 1234567
• 123456
• 123
• 12
• 1
• 1a2b3c
• 1p2o3i
• 1q2w3e
• 1qw23e
• 1sanjose
• 2004
• 2222
• 369
• 4444love
• 4runner
• 54321
• 654321
• 7777
• 777
• 888888
• 911
• 99999999
• @#$%^&
• @@@
• Admin
• Administrator
• Passwd
• Password
• a12345
• a1b2c3
• a1b2c3d4
• a
• aaa
• aaaaaa
• abby
• abc123
• abc
• abcdabcd1234
• abcde
• abcdef
• abcdefg
• access
• access
• action
• active
• adammypc
• adg
• adm
• adm
• admin123456
• admin123
• admin
• administrator123456
• administrator123
• administrator
• administratorpasswd
• adminpasswd
• adminpasswd
• adminpwd
• asdfasdfg
• asdfgh
• asdfghjk
• asdfjkl;
• asdfjkl
• bill
• bin
• daemon
• dgj
• doc
• fgh
• fjsy
• free
• freedom
• fuck
• fuckyou
• god
• guest
• hacker
• job
• kim
• loveyou
• lp
• me
• morris
• mp3
• mypass123
• mypass
• mypc123
• newpass
• nice
• noaccess
• nobody
• parol
• pass
• passwd
• password
• pentium
• pizza
• planet
• playboy
• ppp
• pw123
• pw
• pwd
• qwerty
• root
• rose
• sex
• share
• shitsexy
• shotgun
• sos
• spirit
• spring
• sprite
• ssssss
• storm
• super
• superman
• support
• sys
• telecom
• temp
• test123
• test1
• test
• upload
• warez
• xxx
• xxxx
• ytrewq
• zxcvb
• zxcvbnm

If successful, the worm copies itself to the share as:

• WORM.TXT.EXE

The worm also copies itself to ADMIN$ shares as:

• DFSVC.EXE

The password that was used to successfully connect is written to the file TEMP.TXT. This file is used by a second file (TEMP.EXE) dropped by the worm (to the ADMIN$ share). It is used for this 'loader' component to install the worm as a service, with Administrator priviledges.

The service name bears the following characteristics:

Display name: Distributed Link Tracking Extensions
Image path: DFSVC.EXE

File Upload

The worm makes an FTP connection to the following remote server:

• saap.meibu.com

At the time of writing this description the server was still on-line.

It retrieves a file of name 'ip.domain', which contains details of another remote FTP server. This second server is used to upload files from the victim machine.

Symptoms

• Outgoing FTP traffic to saap.meibu.com
• Registry and file system changes as detailed below

Method of Infection

  When executed on the victim machine, the worm installs itself as KERNEL32DLL.EXE into the Windows system directory. For example:

• C:\WINNT\SYSTEM32\KERNEL32DLL.EXE

If the worm is able to successfully connect to a remote share as Administrator, the password it used to gain that connection is written to a text file that is dropped in this directory:

• C:\WINNT\SYSTEM32\TEMP.TXT

System startup is hooked via the addition of the following Registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Distributed File System" = Kernel32dll.exe

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update October 27, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.com/2004/10/27/myflip_virus/

--

This worm is detected as W32/Myfip.worm in the 4401 DATS.  Accurate detection will be included as W32/Myfip.worm.g in the 4402 DATS.

This detection is for a worm that is intended to steal data from victim machines. It bears the following characteristics:

• it propagates by copying itself to poorly secured network shares (attempts to log on as administrator with various weak passwords)
• is intended to upload files from the victim machine to a remote FTP server

Share Propagation

The worm enumerates network shares, in order to copy itself to accessible Admin$ and IPC$ shares. It attempts to connect to remote machines as 'Administrator' using one of several passwords it stores in its body:

• !@#$%
• !@#$%^&*
• !@#$%^&
• !@#$%^
• ###
• ***
• *
• 00000000
• 000000
• 0007
• 007007
• 007
• 02460249
• 111
• 123412345
• 123456789
• 12345678
• 1234567
• 123456
• 123
• 12
• 1
• 1a2b3c
• 1p2o3i
• 1q2w3e
• 1qw23e
• 1sanjose
• 2004
• 2222
• 369
• 4444love
• 4runner
• 54321
• 654321
• 7777
• 777
• 888888
• 911
• 99999999
• @#$%^&
• @@@
• Admin
• Administrator
• Passwd
• Password
• a12345
• a1b2c3
• a1b2c3d4
• a
• aaa
• aaaaaa
• abby
• abc123
• abc
• abcdabcd1234
• abcde
• abcdef
• abcdefg
• access
• access
• action
• active
• adammypc
• adg
• adm
• adm
• admin123456
• admin123
• admin
• administrator123456
• administrator123
• administrator
• administratorpasswd
• adminpasswd
• adminpasswd
• adminpwd
• asdfasdfg
• asdfgh
• asdfghjk
• asdfjkl;
• asdfjkl
• bill
• bin
• daemon
• dgj
• doc
• fgh
• fjsy
• free
• freedom
• fuck
• fuckyou
• god
• guest
• hacker
• job
• kim
• loveyou
• lp
• me
• morris
• mp3
• mypass123
• mypass
• mypc123
• newpass
• nice
• noaccess
• nobody
• parol
• pass
• passwd
• password
• pentium
• pizza
• planet
• playboy
• ppp
• pw123
• pw
• pwd
• qwerty
• root
• rose
• sex
• share
• shitsexy
• shotgun
• sos
• spirit
• spring
• sprite
• ssssss
• storm
• super
• superman
• support
• sys
• telecom
• temp
• test123
• test1
• test
• upload
• warez
• xxx
• xxxx
• ytrewq
• zxcvb
• zxcvbnm

If successful, the worm copies itself to the share as:

• WORM.TXT.EXE

The worm also copies itself to ADMIN$ shares as:

• DFSVC.EXE

The password that was used to successfully connect is written to the file TEMP.TXT. This file is used by a second file (TEMP.EXE) dropped by the worm (to the ADMIN$ share). It is used for this 'loader' component to install the worm as a service, with Administrator priviledges.

The service name bears the following characteristics:

Display name: Distributed Link Tracking Extensions
Image path: DFSVC.EXE

File Upload

The worm makes an FTP connection to the following remote server:

• saap.meibu.com

At the time of writing this description the server was still on-line.

It retrieves a file of name 'ip.domain', which contains details of another remote FTP server. This second server is used to upload files from the victim machine.

Symptoms

Symptoms -

• Outgoing FTP traffic to saap.meibu.com
• Registry and file system changes as detailed below

Method of Infection

Method of Infection -

  When executed on the victim machine, the worm installs itself as KERNEL32DLL.EXE into the Windows system directory. For example:

• C:\WINNT\SYSTEM32\KERNEL32DLL.EXE

If the worm is able to successfully connect to a remote share as Administrator, the password it used to gain that connection is written to a text file that is dropped in this directory:

• C:\WINNT\SYSTEM32\TEMP.TXT

System startup is hooked via the addition of the following Registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Distributed File System" = Kernel32dll.exe

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A