Win32/Mytob.Z@mm is a mass mailing worm that targets certain versions of Windows. It spreads to other computers by exploiting Windows vulnerabilities, and through MSN or Windows messenger. The worm also functions as an Internet Relay Chat (IRC) client 'bot' to receive commands from attackers.
Installation
When executed, Worm:Win32/Mytob.Z@mm drops a 'C:\hellmsn.exe' (6050 bytes), detected as Worm:Win32/Hellim.B. This file is used to start MSN/Windows Messenger in an attempt to spread.
Next Win32/Mytob.Z drops copies of itself to the following locations:
C:\my_photo2005.scr
C:\see_this!!.scr
C:\funny_pic.scr
<system folder>\taskgmr.exe.
Note: <system folder> refers to a variable location that is determined by the malware querying the Operating System. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The worm then modifies the registry to ensure that a copy of the worm is executed at each Windows start:
Adds value: <value>
With data: taskgmr.exe
In subkeys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Where <value> can be WIN32, windows, WINTASK or another value.
The worm will check Internet connectivity every 20 seconds, by testing access to various Web sites.
Spreads Via…
Email
Worm:Win32/Mytob.Z@mm spreads by sending a copy of itself attached to an e-mail to addresses found on the infected computer. The worm gathers e-mail addresses from the Windows Address Book (WAB). It may also generate e-mail addresses to send itself to by combining any of the following common names with e-mail address domain names harvested from the infected machine:
|
adam
alex
andrew
anna
bill
bob
brenda
brent
brian
britney
bush
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy |
joe
john
jose
julie
kevin
leo
linda
lolita
madmax
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom |
The worm avoids sending itself to addresses that contain the following strings:
|
.edu
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me |
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
you
your |
This worm uses its own SMTP engine in order to spread via e-mail. The worm tries to construct the SMTP servers to be used by appending the harvested e-mail address domain names to the following strings:
gate.
mail.
mail1.
mx.
mx1.
mxs.
ns.
relay.
smtp.
The From field is spoofed, using e-mail addresses gathered from the affected machine.
The worm sends e-mail with variable characteristics.
It may use any of the following subject lines:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day
It may any of the following as a message body:
-
Mail transaction failed. Partial message is available.
-
The message contains Unicode characters and has been sent as a binary attachment.
-
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
-
The original message was included as an attachment.
-
Here are your banks documents.
It generates attachment names by combining the following file names:
message
test
data
file
text
doc
readme
document
with the following extensions:
bat
cmd
exe
pif
scr
zip
Networked Computers
This worm (A) will try to connect with computers (B) across a network, using a random IP attack pattern. The targeted computer (B) will be subjected to remote exploits (including DCOM RPC buffer overrun, and LSASS buffer overrun) in order to write an FTP script on B.
The FTP script instructs B to download a copy of the worm from A, using FTP protocol. The infected computer A serves a copy of the worm to B as "bingoo.exe" and it is then executed locally on B.
This worm may try to write a copy of itself to writable network shares that have weak logon credentials.
Windows/MSN Messenger
This worm will invoke a dropped file 'C:\hellmsn.exe' in order to run its Messenger chat application spreading routine.
Payload
Modifies Hosts File
The worm modifies the Windows Hosts file (located at <system folder>\drivers\etc\hosts) in order to stop the affected user from visiting the following sites (mostly associated with computer security):
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
Backdoor Functionality
The worm connects to a specified IRC server and joins a specified IRC channel using a selected TCP port to receive commands from a remote attacker. Such commands may include downloading, uploading and executing files on the affected machine. The actual TCP port used by the virus varies.
