Ads

W32.Mytob.AH@mm PDF Print E-mail
Monday, 11 April 2005
W32.Mytob.AH@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.

The worm spreads by exploiting the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) and the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).

Also Known As: WORM_MYTOB.AD [Trend Micro]

Type: Worm
Infection Length: 47,677 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When W32.Mytob.AH@mm is executed, it performs the following actions:


Copies itself as the following:


%System% askgmr.exe
%System%ingoo.exe
C:funny_pic.scr
C:see_this!!.scr
C:my_photo2005.scr

Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).


Creates the file C:hellmsn.exe which is detected as W32.Mytob.L@mm.


Adds the value:

"WINRUN" = "taskgmr.exe"

to the registry subkeys:

HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSystemCurrentControlSetControlLsa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa

so that the worm runs every time Windows starts.

Note: The worm will continuously check for the presence of these registry keys and recreates them if they are deleted.


Creates a mutex "H-E-L-L-B-O-T" so that only one instance of the worm is run on the compromised computer.


Gathers email addresses from the Windows Address Book and from the following folders:


%Windir%Temporary Internet Files
%Userprofile%Local SettingsTemporary Internet Files
%System%

Notes:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
%UserProfile% is a variable that refers to the current users profile folder. By default, this is C:Documents and Settings (Windows NT/2000/XP).
%System% is a variable that refers to the folder that Windows uses to store critical system files. By default, this is C:WindowsSystem32 (Windows XP), C:WinntSystem32 (Windows 2000, NT), or C:WindowsSystem (Windows 9x, ME)


Searches for email addresses in files on drives C through Z that contain the any of the following strings in their extensions:


.adb*
.asp*
.dbx*
.htm*
.php*
.pl
.sht*
.tbb*
.txt
.wab*


The worm then uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From:
From address is spoofed and is one of the following:


adam
alex
andrew
anna
bill
bob
brenda
brent
brian
britney
bush
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
lolita
madmax
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

followed by one of the following domains:


aol.com
cia.gov
fbi.gov
hotmail.com
juno.com
msn.com
yahoo.com

Note: The worm may also spoof an address from one of those found on the computer.

Subject:
(One of the following)


hello
Good Day
Error
Mail Delivery System
Mail Transaction Failed
Server Report
Status
[blank]
[random characters]

Message:
(One of the following)


Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sent as a binary
attachment.

The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.

The original message was included as an attachment.

Here are your banks documents

[random characters]

Attachment:
(One of the following)


body
data
doc
document
file
message
readme
test
text
[random name]

with one of the following extensions:


.pif
.scr
.exe
.bat
.cmd

Notes: The worm may compress the attachment and the attachment may have a .zip extension. The zipped file will have .doc, .htm, or .txt as the first extension name and .exe, .pif, or .scr as the second extension name.

The worm avoids sending itself to email addresses that contain any of the following strings:


abuse
accoun
acketst
admin
anyone
arin.
avp
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
help
info
linux
listserv
me
no
nobody
noone
not
nothing
ntivi
page
postmaster
privacy
rating
root
samples
service
site
soft
somebody
someone
submit
support
the.bat
unix
webmaster
you
your

or contain any of the following domain names:


.edu
.gov
.mil
arin.
berkeley
borlan
bsd
example
fido
foo.
fsf.
gnu
google
gov.
iana
ibm.com
icrosof
icrosoft
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
mydomai
nodomai
panda
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
sopho
syma
tanford.e
unix
usenet
utgers.ed
www

The worm may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:


gate.
mail.
mail1.
mx.
mx1.
mxs.
ns.
relay.
smtp.


Loads an FTP server that listens on a random TCP port.


Opens a back door on TCP port 10087.


Connects to an IRC channel on the sceptre.cjb.net domain using TCP port 6667 and listens for commands. This allows the remote attacker to perform any of the following actions:


Execute files
Download files
Perform other IRC commands determined by the attacker
Reboot the compromised computer


Exploits the following vulnerabilities in order to spread to other computers:


The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011)


Blocks access to several security-related Web sites by appending the following text to the Hosts file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

To delete the value from the registry
Click Start > Run.


Type regedit


Click OK.


Navigate to the subkeys:

HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSystemCurrentControlSetControlLsa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa


In the right pane, delete the value:

"WINRUN" = "taskgmr.exe"


Exit the Registry Editor
 
< Prev   Next >
[ Back ]