Worm:Win32/Mytob.CG@mm is a mass-mailing and network worm that targets computers running certain
versions of Microsoft Windows. The worm can spread through e-mail, MSN/Windows Messenger, and by targeting randomly generated IP addresses and exploiting Windows vulnerabilities described in Microsoft Security Bulletins MS04-011 and MS03-026. The worm also contains backdoor functionality and connects to an IRC server to receive commands from attackers.
Installation
When executed, Worm:Win32/Mytob.CG@mm drops the file 'C:\hellmsn.exe' (6050 bytes). This file is detected as Worm:Win32/Hellim.B. It is used to spread via MSN/Windows Messenger.
Next Mytob.CG drops copies of itself to the following locations:
Note: <system folder> refers to a variable location that is determined by the malware querying the Operating System. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The worm then modifies the registry to ensure that a copy of the worm is executed at each Windows start:
Adds value with data: WINTASK = taskgmr.exe
To subkeys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
The worm creates the mutex 'H-E-L-L-B-O-T' to ensure that multiple instances of itself do not run simultaneously. The worm also checks Internet connectivity by attempting to connect to the following domains:
hotmail.com
cia.gov
fbi.gov
juno.com
yahoo.com
msn.com
aol.com
Spreads Via…
Email
Worm:Win32/Mytob.CG@mm spreads by sending a copy of itself attached to an e-mail to addresses found on the infected computer. The worm gathers e-mail addresses from the Windows Address Book (WAB). It may also generate e-mail addresses to send itself to by combining any of the following common names with e-mail address domain names harvested from the infected machine:
|
adam
alex
andrew
anna
bill
bob
brenda
brent
brian
britney
bush
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy |
joe
john
jose
julie
kevin
leo
linda
lolita
madmax
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom |
The worm avoids sending itself to addresses that contain the following strings:
|
.edu
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me |
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
you
your |
This worm uses its own SMTP engine in order to spread via e-mail. The worm tries to construct the SMTP servers to be used by appending the harvested e-mail address domain names to the following strings:
gate.
mail.
mail1.
mx.
mx1.
mxs.
ns.
relay.
smtp.
The From field is spoofed, using e-mail addresses gathered from the affected machine.
The worm sends e-mail with variable characteristics.
It may use any of the following subject lines:
Error
Status
Server
Report
Mail Transaction Failed
Mail Delivery System
hello
Good day
It may any of the following as a message body:
-
Mail transaction failed. Partial message is available.
-
The message contains Unicode characters and has been sent as a binary attachment.
-
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The original message was included as an attachment.
-
Here are your banks documents.
It generates attachment names by combining the following file names:
message
test
data
file
text
doc
readme
document
with the following file extensions:
bat
cmd
exe
pif
scr
zip
Network Shares
The worm tries to connect to remote machines on the network by targeting randomly generated IP addresses. The worm attempts to write an FTP script to targeted machines by exploiting several different Windows vulnerabilities. The FTP script instructs the target machine to download a copy of the worm (as "bingoo.exe") from the attacking machine. The file is then executed locally on the target machine.
Windows/MSN Messenger
This worm uses the dropped file 'C:\hellmsn.exe' in order to run its Messenger chat application spreading routine.
Payload
Modifies Hosts File
The worm modifies the Windows Hosts file (located at <system folder>\drivers\etc\hosts) in order to stop the affected user from visiting the following sites (mostly associated with online shopping and computer security):
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.trendmicro.com
www.viruslist.com
Backdoor Functionality - 1
The worm connects to a specified IRC server and joins a specified IRC channel using TCP port 10887 to receive commands from a remote attacker. Such commands may include downloading, uploading and executing files on the affected machine.
Backdoor Functionality - 2
The worm sets up a small StonyFTP server that will allow an attacker to logon to the infected computer.
