Worm:Win32/Mytob.W@mm is a worm that spreads via email, via exploit of a Windows vulnerability, and via MSN or Windows messenger. The worm also contains backdoor functionality that allows unauthorized access to an affected machine.
Installation
If this worm is executed, it copies itself to the System folder as "taskgmr.exe" and runs itself from this location. It also drops additional files onto the local drive in the root folder:
c:\funny_pic.scr
c:\see_this!!.scr
c:\my_photo2005.scr
c:\hellmsn.exe
Worm:Win32/Mytob.W@mm creates registry entries in order to load at each Windows startup:
Creates registry value: WINRUN
With data: taskgmr.exe
Within subkeys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Spreads Via…
Exploit
Worm:Win32/Mytob.W@mm attempts to connect to random IP addresses across a network, using TCP port 445. If a connection can be made with the target computer, it attempts to gain access by exploiting Windows vulnerability MS04-011 on unpatched computers.
Network Shares
Worm:Win32/Mytob.W@mm attempts to spread to writable network shares with weak passwords.
Messenger
Worm:Win32/Mytob.W@mm executes the dropped file "hellmsn.exe", which starts MSN or Windows Messenger, and attempts to spread itself using this Internet messaging client.
Email
Worm:Win32/Mytob.W@mm executes a mass-mailing routine that first gathers e-mail addresses from within files on infected computer, and then constructs e-mail messages and sends itself as an attachment to e-mail addresses found.
This worm searches for e-mail addresses within data files, and avoids addresses containing any of the following text strings:
accoun
certific
listserv
ntivi
support
icrosoft
admin
page
the.bat
gold-certs
feste
submit
help
service
privacy
somebody
soft
contact
site
rating
bugs
your
someone
anyone
nothing
nobody
noone
webmaster
postmaster
samples
info
root
mozilla
utgers.ed
tanford.e
acketst | secur
isc.o
isi.e
ripe.
arin.
sendmail
rfc-ed
ietf
iana
usenet
fido
linux
kernel
google
ibm.com
fsf.
mit.e
math
unix
berkeley
foo.
.mil
gov.
.gov
ruslis
nodomai
mydomai
example
inpris
borlan
sopho
panda
icrosof
syma
.edu |
This worm constructs e-mails with the following properties:
Selects an e-mail subject line from one of these:
<random>
Error
Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Selects an e-mail body message from one of these:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents.
Adds a copy of the worm as an attachment, using one of these as a file name prefix:
<random>
body
data
doc
document
file
message
readme
test
text
The attachment file extension is one of these:
.bat
.cmd
.exe
.pif
.scr
.zip
Payload
Modifies Hosts File
This worm modifies the local DNS resolution file "hosts" to block access to some security related Web sites. The following Web sites are blocked:
www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.microsoft.com
www.trendmicro.com
Backdoor Functionality
Worm:Win32/Mytob.W@mm opens TCP ports 10087 and 24300, and connects to the Internet Relay Chat server uncanny.chiriroza.net, and awaits commands from an attacker.
