W32.Myfip.A


Aliases: W32/Myfip.worm, Worm/Myfip.A 
Variants: Worm.Win32.Myfip.e, WORM_MYFIP.E, W32/Myfip.D.worm, Win32.Worm.Myfip.D 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 04 Aug 2004
Damage: Low

Characteristics: This security threat is a network aware worm that can steal files from compromised computer systems. The W32.Myfip.A malware resides in the system memory and can arrive on a target machine as an email message that has the IFRAME exploit. This IFRAME window will point to a particular malicious file.

More details about W32.Myfip.A

Once the W32.Myfip.A worm is launched in the victim machine, it will create the ‘fjsy’ mutex in order that only one version of the malware runs at a given time on the computer. It then copies itself to the system as an executable file. This worm will use FTP (file transfer protocol) to retrieve a possibly malicious file from a predefined domain. The file will contain a username, password and server that will be used by the worm to connect to another FTP server. It then adds a value to a registry entry so that it executes when Windows starts. The worm will then try to locate a local system for network directories and if it locates one, it will try to copy its code to the remote system as a file with the extension txt.exe. If the directory needs authentication, the malware will try to connect to it using one of its many predetermined passwords.

When the W32.Myfip.A worm has successfully logged in to the directory, it will create files with the .txt and .exe extensions. It will then register a file as the ‘Distributed Link Tracking Extensions’ service which will be responsible for running the worm’s copy with Administrator benefits. It then tries to locate PDF files and then send these to the FTP server it uses. When the W32.Myfip.A worm is successfully installed in the computer, its creator could administer the backdoor’s installation, restrain the IRC client on the compromised machine, download other threats, execute files, send the infection to other channels to take control of other computers, terminate running applications, perform denial of service attacks against other parties and totally uninstall itself by eradicating its pertinent registry entries.