Ads W32.Mytob.BR@mm Saturday, 30 April 2005 W32.Mytob.BR@mm is a mass-mailing worm with back door functionality that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm also spreads through network shares by exploiting The Microsoft Windows LSASS Buffer Overrun Vulnerability (as described in Microsoft Security Bulletin MS04-011). Type: Worm Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When W32.Mytob.BR@mm is executed, it performs the following actions: Creates copies of itself as: %System% askgmr.exe %System%ingoo.exe C:funny_pic.scr C:see_this!!.scr C:my_photo2005.scr Notes: %System% is a variable that refers to the folder that Windows uses to store critical system files. By default, this is C:WindowsSystem32 (Windows XP), C:WinntSystem32 (Windows 2000, NT), or C:WindowsSystem (Windows 9x, ME) Creates the following file: C:hellmsn.exe Adds the value: "WINRUN" = "taskgmr.exe" to the registry subkeys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftOLE HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa so that W32.Mytob.BR@mm runs every time Windows starts. Note: The worm will recreate these registry subkeys if they are deleted. Creates the following mutex so that only one instance of the worm is run on the compromised computer: H-E-L-L-B-O-T Collects email addresses from the Windows Address Book and from the following locations: %Windir%Temporary Internet Files %Userprofile%Local SettingsTemporary Internet Files %System% Notes: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt. %UserProfile% is a variable that refers to the current users profile folder. By default, this is C:Documents and Settings (Windows NT/2000/XP). %System% is a variable that refers to the folder that Windows uses to store critical system files. By default, this is C:WindowsSystem32 (Windows XP), C:WinntSystem32 (Windows 2000, NT), or C:WindowsSystem (Windows 9x, ME) Harvests email addresses from files with the following extensions: .adb* .asp* .dbx* .htm* .php* .pl .sht* .tbb* .txt .wab* Avoids sending a copy of itself to email addresses containing any of the following strings: abuse accoun acketst admin anyone arin. avp bugs ca certific contact example feste fido foo. fsf. gnu gold-certs google help info linux listservme no nobody noone not nothing ntivi page postmaster privacy rating root samples service site soft somebody someone submit support the.bat unix webmaster you your Avoids sending a copy of itself to email addresses that contain any of the following domain names: .edu .gov .mil arin. berkeley borlan bsd example fido foo. fsf. gnu google gov. iana ibm.com icrosof icrosoft ietf inpris isc.o isi.e kernel linux math mit.e mozilla mydomai nodomai panda pgp rfc-ed ripe. ruslis secur sendmail sopho syma tanford.e unix usenet utgers.ed www The worm may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers: gate. mail. mail1. mx. mx1. mxs. ns. relay. smtp. Uses its own SMTP engine to send itself to the email addresses that it finds in the compromised computer. The email has the following characteristics: From: From address is spoofed and is one of the following: adam alex andrew anna bill bob brenda brent brian britney bush claudia dan dave david debby fred george helen jack james jane jerry jim jimmy joe john jose julie kevin leo linda lolita madmax maria mary matt michael mike peter ray robert sam sandra serg smith stan steve ted tom followed by one of the following domains: aol.com cia.gov fbi.gov hotmail.com juno.com msn.com yahoo.com Subject: One of the following: hello Good Day Error Mail Delivery System Mail Transaction Failed Server Report Status [blank] [random characters] Message: One of the following: [random characters] Mail transaction failed. Partial message is available. The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The original message was included as an attachment. Here are your banks documents Attachment: One of the following: body data doc document file message readme test text [random name] with one of the following extensions: .pif .scr .exe .bat .cmd Acts as a back door server on TCP port 10087. Opens a back door by connecting to an IRC channel on the snuiven.kicks-ass.net domain and listen for commands. This will allow the remote attacker to perform any of the following actions: Execute files Download files Perform other IRC commands determined by the attacker Reboot the compromised computer Spreads by exploiting the following vulnerability: The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011). Blocks access to several security-related Web sites by appending the following text to the Hosts file: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.trendmicro.com To delete the value from the registry Click Start > Run. Type regedit Click OK. Navigate to the subkeys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftOLE HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa In the right pane, delete the value: "WINRUN" = "taskgmr.exe" Exit the Registry Editor.   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.