Worm:Win32/Mytob.SC is a member of
Win32/Mytob - a family of worms that spreads in a variety of ways. The worm can spread by exploiting several known Windows vulnerabilities, via fixed or removable drives, or by sending a copy of itself via email, Windows Live Messenger, or Windows Messenger.
Installation
When executed, Worm:Win32/Mytob.SC copies itself to the following locations:
- <system folder>\taskmon.exe
- c:\restore\s-1-5-21-1486476501-1644491937-682003330-1013\autorun.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "F-Secure Gatekeeper"
With data: "c:\windows\system32\taskmon.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: StubPath
With data: "c:\restore\s-1-5-21-1486476501-1644491937-682003330-1013\autorun.exe"
To subkey: hklm\software\microsoft\active setup\installed components\{08b0e5c0-4fcb-11cf-abx5-00401c608512}
The malware creates the following files on an affected computer:
-
c:\documents and settings\administrator\local settings\temp\message
-
c:\documents and settings\administrator\local settings\temp\tmpe.tmp
-
c:\documents and settings\administrator\local settings\temp\tmpf.tmp
-
c:\restore\s-1-5-21-1486476501-1644491937-682003330-1013\desktop.ini
The malware utilizes code injection in order to hinder detection and removal. When Worm:Win32/Mytob.SC executes, it may inject code into running processes, including the following, for example:
Spreads via…
Removable drives
Worm:Win32/Mytob.SC copies itself to the following locations on removable drives:
- <targeted drive>:\restore\s-1-5-21-1486476501-1644491937-682003330-1013\autorun.exe
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer.
It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
The malware may also create the following files on targeted drives when spreading:
-
<targeted drive>:\restore\s-1-5-21-1486476501-1644491937-682003330-1013\desktop.ini
Peer-to-Peer file sharing
The malware may attempt to spread via Peer-to-Peer(P2P) file sharing by copying itself to the shared folders of particular P2P file sharing applications. The worm copies itself to the shared folders of these applications using file names designed to entice other users of the file sharing network into downloading and running copies of the worm.
The following table details this behavior:
If the following programs are installed: | Then the malware may copy itself to the following folders: | Using one of the following file names: |
- eMule
- grokster
- kazaa
- limewire
- Morpheus
- Tesla
- WinMX
| - %programfiles%\emule\incoming\
- %programfiles%\grokster\my grokster\
- %programfiles%\kazaa lite k++\my shared folder\
- %programfiles%\kazaa lite\my shared folder\
- %programfiles%\kazaa\my shared folder\
- %programfiles%\limewire\shared\
- %programfiles%\morpheus\my shared folder\
- %programfiles%\tesla\files\
- %programfiles%\winmx\shared\
| - absolute video converter 3.07.exe
- acker dvd ripper 2008.exe
- adobe acrobat reader keygen.exe
- adobe soundbooth cs3.exe
- anti-trojan elite v4.01.exe
- aol password cracker.exe
- ashampoo powerup v3.10.exe
- bitdefender antivirus 2008 keygen.exe
- boilsoft dvd ripper 2.82.exe
- canvas security framework 2008 limited with 50 0day.exe
- cleanmypc registry cleaner v4.02.exe
- daemon tools pro 4.10.218.0.exe
- divx 5.0 pro keygen.exe
- download boost 2.0.exe
- email spider.exe
- error doctor 2008.exe
- google adsense clicking bot.sfx.exe
- hotmail account bruteforcer bot.exe
- hotmail spammer bot.exe
- icepack idt gold edition 2008 leaked.exe
- microsoft visual basic keygen.exe
- microsoft visual c++ keygen.exe
- microsoft visual studio keygen.exe
- mirc keygen.exe
- norton anti-virus 2008 enterprise crack.exe
- password cracker.exe
- pc secuity tweaker 7.6.exe
- prorat 2.0 special edition.exe
- shadow security scanner 10 gold.exe
- sophos antivirus updater bypass.exe
- super utilities pro 2008 8.0.1980.exe
- superram 5.1.28.2008.exe
- tarantula full version cracked by razor.exe
- tcn iso cable modem hacking tools.exe
- tcn iso sigmax2 firmware.bin.exe
- vmware esx gsx server keygen.exe
- vmware keygen.exe
- vmware workstation 6 windows keygen.exe
- windows 2003 advanced server keygen.exe
- wow glider incl serial.sfx.exe
- youtube music downloader 1.0.exe
- yzdock machintos osx like toolbar for windows.exe
|
Payload
Allows backdoor access and control
Worm:Win32/Mytob.SC attempts to connect to an IRC server at sco.rs-forum.biz via TCP port 5900, join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
This malware description was produced and published using our automated analysis system's examination of file SHA1 02fc9f55d052eca0fb8ed94b6543ab96a53480ab.