Win32/Mabutu is a family of mass-mailing worms that targets computers running certain versions of Microsoft Windows. The worm sends a copy of itself as an attachment to e-mail addresses found on the infected computer. The worm has a backdoor component that connects to an IRC server from the infected computer to receive commands from attackers.
Use the following free Microsoft software to detect and remove this threat:
Win32/Mabutu creates a copy of itself in the Windows folder and drops a .dll file there. To name the .dll file, the worm prepends a random letter to the name of an existing .dll file in the Windows folder and appends the .dll extension. The worm registers the .dll file by calling function DllRegisterServer and uses system program rundll32.exe to load and run the .dll file. An entry is placed in the registry so that the worm runs each time Windows starts.
The .dll file takes the following actions:
Creates a file named cfg.dat to store configuration information, such as names of files where the worm stores e-mail addresses.
Connects to a specific IRC server and channel. The worm sends notification messages in order to receive commands from attackers.
Sends the Win32/Mabutu .exe file as an attachment to e-mail addresses found on the computer.