Content

W32/Toyep@MM

Type
Virus
SubType
E-mail worm
Discovery Date
08/16/2006
Length
49,152 bytes
Minimum DAT
4831 (08/17/2006)
Updated DAT
4831 (08/17/2006)
Minimum Engine
5.1.00
Description Added
08/16/2006
Description Modified
08/16/2006 8:07 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When W32/Toyep@MM is run, the virus executes NOTEPAD.EXE to display the following message:

  • 'this is the joke'

A file is written to to the users temp folder (hack.txt) which is 17 bytes in length and just contains the message above.

 

The virus copies itself to the %SYSDIR% folder as MFCAPI32U.EXE

The following registry key is created to load the virus at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "mfcapi32u" = %SYSDIR%\mfcapi32u.exe

 

In addition to this it will attempt to download a remote EXE file (WIN32.EXE) from the following website:

  • http://traf[removed].biz/[removed]win32.exe

 

Symptoms

Presence of the files and registries keys mentioned in the characteristics section.

 

Method of Infection

W32/Toyep@MM uses it's own SMTP engine to send email messages.  It trawls the infected system for files which contain email addresses.  If any file is found to contain an email address it will send itslef to that address in a ZIP archive.

The virus generates the email as follows:

 

From: (Spoofed email sender)

Subject : Uses any one of the following :

  • Thank you for your purchase in Bolero!
  • Thank you for your registration!
  • Pay for your credits!
  • It's important!!! You still have not paid a fine!
  • Tank you for your charity

Body: Uses any one of the following:

  • Hello!
    Thank you for your purchase in our Internet-shop. We always appreciate to meet you there and would like to inform you that money was successfully transferred from your credit card to our account. Further information you can find enclosed.
    Sincerely yours,  Bolero Inetshop Administration
  • Hello!
    Thank you for your rewrite in our mail server. The confirmation of you new login and password you can find enclosed.
    Sincerely yours, Mail Administration Service / Mail Support Service
  • Hello!
    We have to remain you that your credit payment period will be expiring next week.  If you will not make your payment till that time we will have to withdraw your savings from your bank account.
    All details you can find enclosed.
    USA Credit Group.
  • Hello!
    We remain you that you still have not paid a parking violation fine. You should to pay it till the next week or we will have to reach trial the deal.
    We are sending you herewith all necessary documents.
    Sincerely yours, Regional Police Department Management / Administration
  • Hello!
    The St. Patrick Home thanks you for your donation. We are very obliged for your assistance with our St. Patrick's Found and acknowledge the receipt of your transfer for its account. Further to our letter we are sending you full estimate of that transfer.
    Sincerely yours, St. Patrick Home's Administration

 

Attachment: Arrives in a Zip archive using any of the following filenames:

  • message.zip
  • data.zip
  • logfile.zip

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Toyep@MM is a mass mailing worm that sends itself to the email addresses that it harvests on the infected computer.  It also contains the functionality to download EXE files from a remote server and then execute them on the affected computer.

 

 

Characteristics

Characteristics -

When W32/Toyep@MM is run, the virus executes NOTEPAD.EXE to display the following message:

  • 'this is the joke'

A file is written to to the users temp folder (hack.txt) which is 17 bytes in length and just contains the message above.

 

The virus copies itself to the %SYSDIR% folder as MFCAPI32U.EXE

The following registry key is created to load the virus at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "mfcapi32u" = %SYSDIR%\mfcapi32u.exe

 

In addition to this it will attempt to download a remote EXE file (WIN32.EXE) from the following website:

  • http://traf[removed].biz/[removed]win32.exe

 

Symptoms

Symptoms -

Presence of the files and registries keys mentioned in the characteristics section.

 

Method of Infection

Method of Infection -

W32/Toyep@MM uses it's own SMTP engine to send email messages.  It trawls the infected system for files which contain email addresses.  If any file is found to contain an email address it will send itslef to that address in a ZIP archive.

The virus generates the email as follows:

 

From: (Spoofed email sender)

Subject : Uses any one of the following :

  • Thank you for your purchase in Bolero!
  • Thank you for your registration!
  • Pay for your credits!
  • It's important!!! You still have not paid a fine!
  • Tank you for your charity

Body: Uses any one of the following:

  • Hello!
    Thank you for your purchase in our Internet-shop. We always appreciate to meet you there and would like to inform you that money was successfully transferred from your credit card to our account. Further information you can find enclosed.
    Sincerely yours,  Bolero Inetshop Administration
  • Hello!
    Thank you for your rewrite in our mail server. The confirmation of you new login and password you can find enclosed.
    Sincerely yours, Mail Administration Service / Mail Support Service
  • Hello!
    We have to remain you that your credit payment period will be expiring next week.  If you will not make your payment till that time we will have to withdraw your savings from your bank account.
    All details you can find enclosed.
    USA Credit Group.
  • Hello!
    We remain you that you still have not paid a parking violation fine. You should to pay it till the next week or we will have to reach trial the deal.
    We are sending you herewith all necessary documents.
    Sincerely yours, Regional Police Department Management / Administration
  • Hello!
    The St. Patrick Home thanks you for your donation. We are very obliged for your assistance with our St. Patrick's Found and acknowledge the receipt of your transfer for its account. Further to our letter we are sending you full estimate of that transfer.
    Sincerely yours, St. Patrick Home's Administration

 

Attachment: Arrives in a Zip archive using any of the following filenames:

  • message.zip
  • data.zip
  • logfile.zip

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A