Installation and Autostart
Upon execution, this memory-resident worm drops the following files in the Windows system folder:
- ODBC32<random letter>.exe � copy of itself
- ODBC32m � contains email addresses taken from an infected system
It also drops the following files in the Windows system folder:
It copies the contents of the folder C:\Program Files\Common Files\Microsoft Shared into the folder C:\ODBC32b\Program Files\Common Files\Microsoft Shared, making these files appear to have been installed by the worm.
It also creates a mutex named Munjestis.
To enable its automatic execution at every system startup, it creates the following registry entry:
Public Microsoft ODBC = "C:\WINDOWS\System32\ODBC32<random letter>.exe"
The worm drops copies of itself into folders with names containing any of the following strings:
The worm can also penetrate network shares with weak passwords.
This worm propagates via email. The email addresses it uses as recipients are taken from an infected system.
The following is a summary of the email details it sends out:
FROM: %First Name%%Last Name%@%Domain%
%First Name% may be any of the following:
%Last Name% may be any of the following:
%Domain% may be any of the following:
%Name% is a variable, which it selects from a list of names hardcoded in its body. It is one of the following:
The spoofed addresses are saved in the ODBC32m file created by the worm in the Windows system folder.
User names containg any of the following strings are avoided by the worm:
Domain names containg any of the following strings are also avoided:
The worm downloads files from several URLs. These are saved in the Windows system folder as the following:
- cfg__ : from http://max-stats.com/cfg1.cfg
- _prefect.exe : from http://max-stats.com/l/data.bmp
- prefoct.dat : from http://max-stats.com/l/c2.php?i=11
This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability. This vulnerability allows a malicious user to gain full access and execute any code on a target machine, leaving it compromised.
For more information on this vulnerability, refer to the following link:
Denial of Service
This worm performs a denial of service (DoS) attack on certain Web sites.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Analysis By: Marianne Margaret Layador
Updated By: Roaxelle Anne S. Mislang