|
Tuesday, 05 April 2005 |
W32.Mytob.AA@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it gathers from files on the compromised computer. The email has a variable subject and attachment name. The attachment will have a .bat, .cmd, .doc, .exe, .htm, .pif, .scr, .tmp, .txt, or .zip file extension.
The worm also has the ability to open a back door and spreads through the network by exploiting common system vulnerabilities.
Type: Worm
Infection Length: 61,440 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Mytob.AA@mm is executed, it performs the following actions:
Copies itself as %System%msnmsgs.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Drops the file %SystemDrive%hellmsn.exe which then creates the following copies of the worm:
%SystemDrive%funny_pic.scr
%SystemDrive%photo album.scr
%SystemDrive%eminem vs 2pac.scr
Note: %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
Adds the value:
"MSN MESSENGER" = "msnmsgs.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSystemCurrentControlSetControlLsa
so that W32.Mytob.AA@mm runs every time Windows starts.
Note: The worm will continuously check for the presence of these registry keys and recreate them if they are deleted.
Creates the mutex H-E-L-L-B-O-T-2-BY-DIABLO so that only one instance of the worm is run on the compromised computer.
Gathers email addresses from the Windows Address Book and from the following folders:
%Windir%Temporary Internet Files
%Userprofile%Local SettingsTemporary Internet Files
%System%
Notes:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
%UserProfile% is a variable that refers to the current users profile folder. By default, this is C:Documents and Settings (Windows NT/2000/XP).
%System% is a variable that refers to the folder that Windows uses to store critical system files. By default, this is C:WindowsSystem32 (Windows XP), C:WinntSystem32 (Windows 2000, NT), or C:WindowsSystem (Windows 9x, ME)
Searches for email addresses in files on all local drives from C to Z with the following strings in their extensions:
.adb*
.asp*
.dbx*
.htm*
.php*
.pl
.sht*
.tbb*
.wab*
Note: If the worm searches for the .htm* string, the search will return .htm and .html files.
Avoids to send itself to email addresses that contain any of the following strings:
abuse
accoun
acketst
admin
anyone
arin.
avp
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
help
info
linux
listserv
me
no
nobody
noone
not
nothing
ntivi
page
postmaster
privacy
rating
root
samples
service
site
soft
somebody
someone
submit
support
the.bat
unix
webmaster
you
your
Avoids to send itself to email addresses that contain any of the following domain names:
.edu
.gov
.mil
arin.
berkeley
borlan
bsd
example
fido
foo.
fsf.
gnu
google
gov.
iana
ibm.com
icrosof
icrosoft
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
mydomai
nodomai
panda
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
sopho
syma
tanford.e
unix
usenet
utgers.ed
www
May append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
gate.
mail.
mail1.
mx.
mx1.
mxs.
ns.
relay.
smtp.
The worm then uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:
From:
From address is spoofed and is one of the following:
adam
alex
andrew
anna
bill
bob
brenda
brent
brian
britney
bush
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
lolita
madmax
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom
followed by one of the following domains:
aol.com
cia.gov
fbi.gov
hotmail.com
juno.com
msn.com
yahoo.com
Subject:
One of the following:
[Random Strings]
Error
ERROR
Good day
hello
Hello
HELLO
Mail Delivery System
MAIL DELIVERY SYSTEM
Mail Transaction Failed
MAIL TRANSACTION FAILED
read it immediately
READ IT IMMEDIATELY
Server Report
SERVER REPORT
Status
STATUS
thanks!
Thanks!
THANKS!
Message:
One of the following:
(Garbage strings)
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment.
I have received your document. The corrected document is attached.
Attachment:
One of the following:
body
data
doc
document
file
message
readme
test
text
with one of the following extensions:
.bat
.cmd
.doc
.exe
.htm
.pif
.scr
.tmp
.txt
.zip
Notes: The worm may compress the attachment and the attachment may have a .zip extension.
Loads an FTP server that listens on a random TCP port.
Connects to an IRC channel on the irc.blackcarder.net domain and listens for commands that allow the remote attacker to perform any of the following actions:
Download and execute files
Restart the computer
Perform other IRC commands determined by the attacker
Exploits the following vulnerabilities in order to spread to other computers:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
May drop a file named 2pac.txt on to the newly compromised computer, if the worm successfully exploits a vulnerable computer. This file opens port 10087 and downloads a copy of the worm as bingoo.exe.
Blocks access to several security-related Web sites by appending the following text to the Hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Navigate to the subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSystemCurrentControlSetControlLsa
In the right pane, delete the value:
"MSN MESSENGER" = "msnmsgs.exe"
Exit the Registry Editor.
|
