Carrytone is a mass-mailer that uses a new technique to spread. The worm body is 40 kilobytes in size and it was written in C. It works properly on Windows NT based systems only.
1. The extra registry keys/values must be removed first from
'[HKLM]\Software\Microsoft\Windows\CurrentVersion\Run\mmopl' '[HKLM]\Software\Microsoft\Media Optimization Library'
2. When the registry is clean the system has to be rebooted to make sure that the worm process is not active anymore. After the reboot the worm can be deleted from the Windows directory; it is called 'MMOPLIB.EXE'.
3. The hosts file has to be cleaned. The file is called '%system_dir%\drivers\etc\hosts'. All the extra mailserver addresses must be removed that point to the localhost (127.0.0.1).
For spreading it implements a simple SMTP proxy that listens on port 25 (standard SMTP port) on the infected machine. When the worm is started it fetches the SMTP server name from the user's e-mail settings then it modifies the HOSTS file so that the SMTP server's address points to the localhost where the worm is listening. This way when the user sends an e-mail his/her e-mail client will connect to the worm instead of the real mail server. After receiving the connection the worm relays all the commands and replies between the client and the real mail server until it gets the reply to SMTP DATA command that marks the beginning of the e-mail data. At this point it inserts a copy of itself into the message.
The attachment name it uses is composed from the recipient's name and a '.doc.pif' extension.
Messages look like this:
When the infected attachment is opened it copies itself to the Windows folder as 'MMOPLIB.EXE' and adds it to the runkeys in the registry:
The worm stores some internal data under
- '[HKLM]\Software\Microsoft\Media Optimization Library'
F-Secure Anti-Virus detects Carrytone worm with updates published on December 26th, 2001.
Technical Details:Gergely Erdelyi; F-Secure Corp.; 21th of December, 2001