W32.Mibling


Aliases: Win32/Malinbot.A, Trojan.Minute, Trojan-Dropper.Win32.Agent.avam, Generic.dx, W32/Busky.KENN
Variants: Worm:Win32/Lamin.A, Worm:Win32/VB.BN, Backdoor:Win32/Lamin.A, W32/IRCBot-ADJ, Bck/Mirbased.BT

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 04 Jun 2009
Damage: Low

Characteristics: This Worm has been observed by some computer security experts to make use of installed Instant Messaging clients in the compromised machine to spread its codes. This results in considerable degrading of overall system performance. When the W32.Mibling successfully installs into the computer system it will stop processes and modify operating system configuration. It will open an unsecured backdoor that can be remotely manipulated by its malicious author.

More details about W32.Mibling

This malware may be dropped into a vulnerable computer system via a number of deceitful ways. The main trigger file for the W32.Mibling malware normally uses the icon for the word processing application of Microsoft. The difference being the file carries an EXE file extension rather than the standard DOC format. When successfully executed, the W32.Mibling will generate two executable files into the directory folder of the word processing program and a command file into the Startup folder of the user's profile location. It will proceed by launching the word processing application with a blank document page. One of the executable files of the W32.Mibling will be activated which will drop a number of DLL, EXE, MRC, and INI format files into the same location.

The W32.Mibling will begin to target the Windows Registry service to achieve five important tasks. It uses the Windows Registry to install an automatic startup entry for itself. The W32.Mibling will modify key values to make sure that its codes will be launched instead of the requested application. It will attempt to create a key value that will allow it to load its codes as operating system services. The W32.Mibling will make use of the Windows Registry service to lower the security configuration of the host machine as well as to prevent it from being booted into Safe Mode.