W32/Toypet.A Worm

 Information about the W32/Toypet.A Worm:

W32/Toypet.A is a worm. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Thank you for your purchase in Bolero!
Tank you for your charity
It's important!!! You still have not paid a fine!
Thank you for your registration!
Pay for your credits!

The body of the infected mail will be any one of the following;

Hello!

Thank you for your rewrite in our mail server. The confirmation of you new login and password you can find enclosed.

Sincerely yours,
Mail Administration Service / Mail Support Service

Hello!

We have to remain you that your credit payment period will be expiring next week. If you will not make your payment till that time we will have to withdraw your savings from your bank account.

All details you can find enclosed.

USA Credit Group.

Hello!

Thank you for your rewrite in our mail server. The confirmation of you new login and password you can find enclosed.

Sincerely yours,
Mail Administration Service / Mail Support Service

Hello!

The St. Patrick Home thanks you for your donation. We are very obliged for your assistance with our St. Patrick's Found and acknowledge the receipt of your transfer for its account. Further to our letter we are sending you full estimate of that transfer.

Sincerely yours,

St. Patrick Hom

Hello!

We remain you that you still have not paid a parking violation fine. You should to pay it till the next week or we will have to reach trial the deal. We are sending you herewith all necessary documents.

Sincerely yours,

Regional Police Department Management / Administration

The name of the infected attachment will be any one of the following;

data.zip
message.zip
logfile.zip

Upon execution of the infected attachment, the worm copies itself as mfcapi32u.exe in Windows System folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It attempts to connect to the following website and downloads a file.

http://[blocked]/adv/053/win32.exe

To propagate itself, the worm collects all the available email addresses from the files with following extensions and mails itself to these addresses using its own SMTP engine.

asa, asc, asm, asp, cfg, cgi, con, csp, db, dbx, dlt, dwt, edm, eml, hta, htc, htm, inc, jsp, jst, lbi, log, mbx, mdx, mht, mmf, msg, nch, ods, oft, php, pl, rdf, rss, sht, ssi, stm, tbb, tbi, tpl, txt, uin, vbp, vbs, wab, wml, wsh, xht, xls, xml, xsd and xst

This worm first appeared on August 17, 2006.

 Other names of W32/Toypet.A Worm:

This Worm is also known as WORM_TOYPET.A, W32/Toyep-A, W32/Toyep@MM.