Win32/ToyPet [Threat Name] go to Threat

Win32/ToyPet.A [Threat Variant Name]

Category worm
Size 49152 B
Detection created Aug 17, 2006
Detection database version 0.11711
Aliases Email-Worm.Win32.ToyPet.a (Kaspersky)
  W32.Toyep.A@mm (Symantec)
  Worm:Win32/Tibsorm.A@mm (Microsoft)
Short description

Win32/ToyPet.A is a worm that spreads via e-mail.

Installation

When executed, the worm copies itself into the following location:

  • %system%\­mfcapi32u.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "mfcapi32u" = %system%\­mfcapi32u.exe

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%malwarefilepath%" = "%malwarefilepath%:*:Enabled:%malwarefilename%"

The performed data entry creates an exception in the Windows Firewall program.


The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­MailPeyot]
    • "DlPl" = "1"
Spreading via e-mail

Win32/ToyPet.A is a worm that spreads via e-mail.


E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • adb
  • asa
  • asc
  • asm
  • asp
  • cfg
  • cgi
  • con
  • csp
  • dbx
  • dlt
  • dwt
  • edm
  • eml
  • hta
  • htc
  • htm
  • inc
  • jsp
  • jst
  • lbi
  • log
  • ods
  • oft
  • php
  • pl
  • mbx
  • mdx
  • mht
  • mmf
  • msg
  • nch
  • rdf
  • rss
  • sht
  • ssi
  • stm
  • tbb
  • tbi
  • tpl
  • txt
  • uin
  • vbp
  • vbs
  • wab
  • wml
  • wsh
  • xht
  • xls
  • xml
  • xsd
  • xst

The attachment is a ZIP archive containing the .


Name of the attachment is one of the following:

  • logfile.zip
  • data.zip
  • message.zip

Subject of the message is one of the following:

  • Tank you for your charity
  • It's important!!! You still have not paid a fine!
  • Pay for your credits!
  • Thank you for your registration!
  • Thank you for your purchase in Bolero!

Body of the message is one of the following:

Hello! Thank you for your purchase in our Internet-shop. We always appreciate to meet you there and would like to inform you that money was successfully transferred from your credit card to our account. Further information you can find enclosed. Sincerely yours, Bolero Inetshop Administration Hello! Thank you for your rewrite in our mail server. The confirmation of you new login and password you can find enclosed. Sincerely yours, Mail Administration Service / Mail Support Service Hello! We have to remain you that your credit payment period will be expiring next week. If you will not make your payment till that time we will have to withdraw your savings from your bank account. All details you can find enclosed. USA Credit Group. Hello! We remain you that you still have not paid a parking violation fine. You should to pay it till the next week or we will have to reach trial the deal. We are sending you herewith all necessary documents. Sincerely yours, Regional Police Department Management / Administration Hello! The St. Patrick Home thanks you for your donation. We are very obliged for your assistance with our St. Patrick's Found and acknowledge the receipt of your transfer for its account. Further to our letter we are sending you full estimate of that transfer. Sincerely yours, St. Patrick Home's Administration

The messages may contain any of the following texts:

  • Lorence Newman
  • Patrik Roberts
  • Oliver Simpson
  • Piter Roslen
  • John Heckman
  • Emely Hard
  • Fred Dowland
  • Jane Hoocks
  • Nick Convers
  • Michel Madsen

The sender's address is spoofed.


The sender address may contain one of the following strings:

  • ghost
  • robin
  • john
  • elvis
  • aleph
  • enigma
  • martin
  • antony
  • albert
  • cristofer
  • bengamin
  • manager
  • goldgong
  • westford
  • smitt
  • yantchi
  • songking
  • presli
  • obivan
  • chubakka

The worm avoids sending e-mails to addresses containing any of the following strings:

  • hotmail
  • gmail
  • msn
  • foo
  • iana
  • avp
  • icrosoft
  • sopho
  • google
  • panda
  • pgp
  • unix
  • linux
  • secur
Other information

Win32/ToyPet.A is a worm which tries to download other malware from the Internet.


The worm contains a URL address.


It tries to download a file from the address.


The file is stored in the following location:

  • c:\­autoexeck.exe

The file is then executed.


The HTTP protocol is used.


The following files may be dropped:

  • %temp%\­hack.txt

The following text is displayed in Notepad :

  • this is the joke

Please enable Javascript to ensure correct displaying of this content and refresh this page.