W32.Mantibe


Aliases: mantibe, w32/mantibe.worm, Worm.P2P.Mantibe.B, Win32.HLLW.Mantibe.A
Variants: Trojan:Win32/BlackBird, TROJ_BLACKBIRD.A, Trojan.Win32.BlackBird, Win32/BlackBird, Trj/BlackBird

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: North and South America, Asia
Removal: Easy
Platform: W32
Discovered: 22 Aug 2003
Damage: Low

Characteristics: A virus written using the Visual Basic programming language, it is designed to make use of the floppy disk as its main medium of transferring its codes to other potentially vulnerable computer systems. An early indication of the presence of the W32.Mantibe in a compromised machine is a copy of its text file in the root directory of the hard drive. A floppy disk will spread the malware's infection when accessed by the unwary user.

More details about W32.Mantibe

The first time this malware is executed a graphic image will be displayed on the computer screen. According to some computer security experts the W32.Mantibe may display an image of two girls kissing. A copy of its code will be dropped into the directory folder of the operating system in the compromised computer system. The W32.Mantibe will create a copy of itself in the floppy disk. The file placed in the removable storage device is characterized by its double file extension. The file extensions used by the W32.Mantibe copy in the floppy disk is usually a combination of a image format and an executable file. This type of file is normally undetected by the computer user if the host machine hides file extensions by default.

Consistent with the characteristics of most viruses, the W32.Mantibe will modify the entries of the Windows Registry to make sure that it is loaded automatically with the operating system. This is achieved by the W32.Mantibe by creating a new key value which will point to the exact location of its trigger file in the hard drive. The key value is associated with the Run instruction in the Windows Registry and the W32.Mantibe is executed as a type of service which helps it to avoid normal detection processes. It creates two temporary text files which are not detected as viral.