Ads

W32.Mytob.AS@mm PDF Print E-mail
Tuesday, 12 April 2005
W32.Mytob.AS@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm spreads through the network by exploiting vulnerabilities and opens a back door on the compromised computer.

Type: Worm

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When W32.Mytob.AS@mm is executed, it performs the following actions:


Copies itself as the following:


%System% askgmr.exe
%System%ingoo.exe
C:funny_pic.scr
C:see_this!!.scr
C:my_photo2005.scr

Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).


Drops the file C:hellmsn.exe, which is a copy of W32.Mytob.L@mm.


Adds the value:

"WINTASK" = "taskgmr.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa

so that the worm runs every time Windows starts.

Note: The worm will continuously check for the presence of these registry keys and recreates them if they are deleted.


Creates a mutex named "H-E-L-L-B-O-T" so that only one instance of the worm is run on the compromised computer.


Gathers email addresses from the Windows Address Book and from the following folders:


%Windir%Temporary Internet Files
%Userprofile%Local SettingsTemporary Internet Files
%System%

Notes:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
%UserProfile% is a variable that refers to the current users profile folder. By default, this is C:Documents and Settings (Windows NT/2000/XP).

The worm also gathers email addresses from files on drives C through Z that contain the any of the following strings in their extensions:


.adb*
.asp*
.dbx*
.htm*
.php*
.sht*
.tbb*
.txt
.wab*

The worm avoids sending itself to email addresses that contain any of the following strings:


abuse
accoun
admin
anyone
bsd
bugs
certific
contact
fcnz
feste
gold-certs
google
help
icrosoft
info
linux
listserv
nobody
noone
not
nothing
ntivi
page
postmaster
privacy
rating
root
samples
secur
service
site
soft
somebody
someone
spm
submit
support
the.bat
unix
webmaster
www
you
your1

The worm also avoids email addresses that contain any of the following strings in the domain name:


.gov
.mil
acketst
arin.
avp
berkeley
borlan
bsd
example
fido
foo.
fsf.
gnu
google
gov.
iana
ibm.com
icrosof
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
mydomai
nodomai
panda
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
sopho
syma
tanford.e
unix
usenet
utgers.ed

The worm may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:


gate.
mail.
mail1.
mx.
mx1.
mxs.
ns.
relay.
smtp.


The worm then uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From:
The address contains one of the following names:


adam
alex
andrew
anna
bill
bob
brenda
brent
brian
britney
bush
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
lolita
madmax
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

followed by one of the following domains:


aol.com
cia.gov
fbi.gov
hotmail.com
juno.com
msn.com
yahoo.com

Note: The worm may also spoof the From address using one found on the compromised computer.

Subject:
One of the following:


hello
Good Day
Error
Mail Delivery System
Mail Transaction Failed
Server Report
Status
[blank]
[random characters]

Message:
One of the following:


[Random characters]
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents

Attachment:
One of the following:


body
data
doc
document
file
message
readme
test
text

with one of the following extensions:


.bat
.cmd
.exe
.pif
.scr

Note: The attachment may have a .zip extension and contain a file with a dual extension. The first extension will be .doc, .htm, or .txt, followed by .exe, .pif, or .scr as the second extension.


Opens a back door by connecting to an IRC channel on the happy20050.fidosoft.de domain on TCP port 10087.


Listens for commands that allow the remote attacker to perform any of the following actions:


Execute files
Download files
Perform other IRC commands determined by the attacker
Reboot the compromised computer


Spreads by exploiting the following vulnerabilities:


The Microsoft Windows Local Security Authority Service Remote Buffer Overflow vulnerability (described in Microsoft Security Bulletin MS04-011)
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).


Blocks access to several security-related Web sites by appending the following text to the Hosts file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
127.0.0.1 metalhead2005.info
127.0.0.1 irc.blackcarder.net
127.0.0.1 d66.myleftnut.info

To delete the value from the registry
Click Start > Run.


Type regedit


Click OK.


Navigate to the subkeys:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa

In the right pane, delete the value:

"WINTASK" = "taskgmr.exe"

Exit the Registry Editor.
 
< Prev   Next >
[ Back ]