|
Saturday, 23 April 2005 |
W32.Mytob.BJ@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Mytob.BJ@mm is executed, it performs the following actions:
Copies itself as %System% askgmr.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the value:
"Windows Task Manager" = "taskgmr.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
so that W32.Mytob.BJ@mm runs every time Windows starts.
Gathers email addresses from the Windows Address Book and from the following locations:
%Windir%Temporary Internet Files
%UserProfile%Local SettingsTemporary Internet Files
%System%
Notes:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows (Windows 95/98/Me/XP) or C:Winnt (Windows NT/2000).
%UserProfile% is a variable that refers to the current users profile folder. By default, this is C:Documents and Settings (Windows NT/2000/XP).
Gathers email addresses from files with the following extensions on all local drives from C to Y:
.adb*
.asp*
.dbx*
.htm*
.php*
.sht*
.tbb*
.txt
.wab*
The worm will not send itself to email addresses that contain any of the following strings:
abuse
accoun
acketst
admin
anyone
arin.
avp
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
help
info
linux
listserv
me
no
nobody
noone
not
nothing
ntivi
page
postmaster
privacy
rating
root
samples
service
site
soft
somebody
someone
submit
support
the.bat
unix
webmaster
you
your
The worm will not send itself to email addresses that contain any of the following strings in the domain name:
.edu
.gov
.mil
arin.
berkeley
borlan
bsd
example
fido
foo.
fsf.
gnu
google
gov.
iana
ibm.com
icrosof
icrosoft
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
mydomai
nodomai
panda
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
sopho
syma
tanford.e
unix
usenet
utgers.ed
www
The worm may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
gate.
mail.
mail1.
mx.
mx1.
mxs.
ns.
relay.
smtp.
The worm then uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:
From:
From address is spoofed and is one of the following:
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
The worm may also spoof an address from one of those found on the computer
Subject:
One of the following:
read it immediately
Hello
Congratulations!
Re: Approved document
Re: Your document
Re: Administration
approved
Is that your password?
Its you!?
Bonjour
Message:
One of the following:
I have attached your informations.
The original message was included as an attachment.
Your document is attached.
The message contains Unicode characters and has been sent as a binary attachment.
For more details see the attachment.
Attachment:
One of the following:
document
details
data
important information
your_doc
message
body
with one of the following as extension:
.pif
.scr
.exe
.cmd
.bat
Note: The attachment may also be a .zip file containing a copy of the worm with two file extensions. The copy of the worm will have .doc, .htm, or .txt as the first extension, and .exe, .pif, or .scr as the second extension.
Connects to an IRC channel on the domainirc.blackcarder.net domain.
Listens for commands that allow the remote attacker to perform the following actions:
Execute files
Download files
Perform other IRC commands determined by the attacker
Reboot the compromised computer
Blocks access to several security-related Web sites by appending the following text to the Hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Navigate to the subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
In the right pane, delete the value:
"Windows Task Manager" = "taskgmr.exe"
Exit the Registry Editor.
Additional information:
Removing entries from the Hosts file
If this threat has modified the Windows Hosts file, there are two ways to remove these entries:
Install and run the current version of LiveUpdate. This will remove only the entries that refer to Symantec domains.
Manually edit the Hosts file and remove all the entries that the threat added.
|
