Win32/Mamianune [Threat Name] go to Threat
Win32/Mamianune.A [Threat Variant Name]
| Category | virus |
| Aliases | Email-Worm.Win32.Mamianune.s (Kaspersky) |
| Worm:Win32/Mamianune.gen (Microsoft) | |
| I-Worm/Tuxy.A (AVG) |
Short description
Win32/Mamianune.A is a file infector. It is able to spread via e-mail.
Installation
When executed the virus copies itself in the following locations:
- %system%\%variable1%.exe
In order to be executed on every system start, the virus sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable2%.exe" = "%variable1%.exe"
A string with variable content is used instead of %variable1-2% .
Executable file infection
Win32/Mamianune.A is a file infector.
The virus searches local and network drives for files with one of the following extensions:
- .ex*
Executables are infected by appending the code of the virus to the last section.
The size of the inserted code is 6 KB .
The host file is modified in a way that causes the virus to be executed prior to running the original code.
Spreading via e-mail
Win32/Mamianune.A is a virus that spreads via e-mail.
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
- .xm*
- .ht*
- .tx*
- .do*
The sender's address is spoofed.
The message subject is randomly generated.
Body of the message is blank.
The attachment is an executable file of the virus.
The file name is randomly generated.
Other information
The virus may create the following files:
- %variable%.htm
A string with variable content is used instead of %variable% .