Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Bat/Macdwarf-A

Feb 9, 2004 1:29AM PST

Aliases
Trojan.BAT.KillAV.h, BAT.Snoital@mm

Type
Batch file worm

Description
Bat/Macdwarf-A is a worm which spreads by emailing itself to all addresses in the Microsoft Outlook address list. The worm also attempts to spread via IRC channels and via the KaZaA peer-to-peer file sharing network.
Bat/Macdwarf-A attempts to copy itself to the following locations:
C:\Pro\14 YEAR OLD NUDE ON WEBCAM.BAT
C:\<Windows>\14 YEAR OLDS *******.ARV.BAT
C:\<Windows>\MASBL.BAT
C:\<Windows>\Kazaa\**** GETS *** ****** BY 2 GUYS.MPEG.BAT

Bat/Macdwarf-A attempts to add entries at the following registry location to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The worm adds the following entry to the registry to make C:\<Windows>\Kazaa a KaZaA shared folder:

HKLM\Software\KaZaA\Transfer\DlDir0=C:\<Windows>\Kazaa

Bat/Macdwarf-A changes the mIRC file SCRIPT.INI and the pIRCh file EVENTS.INI in an attempt to send itself to other IRC users as
14 Year Old Nude On Webcam.bat and 14 YEAR OLDS *******.arv.bat respectively. The modified SCRIPT.INI file is detected by Sophos as mIRC/Simp-Fam and the modified EVENT.INI file is detected as pIRC/Pirch-Fam.

Bat/Macdwarf-A drops, runs and deletes the file C:\NWBOY.VBS which contains the email functionality of the worm.


More: http://www.sophos.com/virusinfo/analyses/batmacdwarfa.html

Discussion is locked