Ads W32.Mytob.EF@mm Thursday, 16 June 2005 W32.Mytob.EF@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm spreads through the network by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (as described in Microsoft Security Bulletin MS04-011) and the Microsoft Windows DCOM RPC Interface Buffer Overrun vulnerability (as described in Microsoft Security Bulletin MS03-026). Type: Worm Infection Length: 53,760 bytes Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When W32.Mytob.EF@mm is executed, it performs the following actions: Copies itself as the following: %System% askfile.exe %System%ingoo.exe C:funny_pic.scr C:see_this!!.scr C:my_photo2005.scr Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). Creates the file C:hellmsn.exe, which is a copy of W32.Mytob.L@mm. Adds the value: "WINTASK" = "taskfile.exe" to the registry subkeys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftOLE HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE HKEY_LOCAL_MACHINESystemCurrentControlSetControl so that the risk runs every time Windows starts. Note: The worm continually recreates these registry keys if they are deleted. Creates the mutex H-E-L-L-B-O-T, so that only one instance of the worm is run on the compromised computer. Gathers email addresses from the Windows Address Book and from the following locations: %Windir%Temporary Internet Files %Userprofile%Local SettingsTemporary Internet Files %System% Notes: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows (Windows 95/98/Me/XP) or C:Winnt (Windows NT/2000). %UserProfile% is a variable that refers to the current users profile folder. By default, this is C:Documents and Settings (Windows NT/2000/XP). %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). Gathers email addresses from files with the following extensions on all local drives from C to Y: .adb* .asp* .dbx* .htm* .php* .pl .sht* .tbb* .txt .wab* Avoids sending a copy of itself to email addresses that contain any of the following strings: abuse accoun acketst admin anyone arin. avp bugs ca certific contact example feste fido foo. fsf. gnu gold-certs google help info linux listserv me no nobody noone not nothing ntivi page postmaster privacy rating root samples service site soft somebody someone submit support the.bat unix webmaster you your Avoids sending a copy of itself to email addresses that contain any of the following domain names: .edu .gov .mil arin. berkeley borlan bsd example fido foo. fsf. gnu google gov. iana ibm.com icrosof icrosoft ietf inpris isc.o isi.e kernel linux math mit.e mozilla mydomai nodomai panda pgp rfc-ed ripe. ruslis secur sendmail sopho syma tanford.e unix usenet utgers.ed www Appends the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers: gate. mail. mail1. mx. mx1. mxs. ns. relay. smtp. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics: From: One of the following: adam alex andrew anna bill bob brenda brent brian britney bush claudia dan dave david debby fred george helen jack james jane jerry jim jimmy joe john jose julie kevin leo linda lolita madmax maria mary matt michael mike peter ray robert sam sandra serg smith stan steve ted tom with one of the following domains: aol.com cia.gov fbi.gov hotmail.com juno.com msn.com yahoo.com Note: The worm may also spoof an address from one of those found on the computer. Subject: One of the following: hello Good Day Error Mail Delivery System Mail Transaction Failed Server Report Status [blank] [random characters] Message: One of the following: Mail transaction failed. Partial message is available. The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The original message was included as an attachment. Here are your banks documents [randome characters] Attachment: One of the following: body data doc document file message readme test text [random name] with one of the following extensions: .pif .scr .exe .bat .cmd Note: The worm may also send a zip copy of itself. The zipped file will have .doc, .htm, or .txt as the first extension name and .exe, .pif, or .scr as the second extension name. Opens a back door and listens on TCP port 10087. Opens a back door by connecting to an IRC channel on the hell.warezdepot.net domain on TCP port 6667 and listens for commands that allow the remote attacker to perform the following actions: Execute files Download files Perform other IRC commands determined by the attacker Reboot the compromised computer Scans for vulnerable computers and try to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (as described in Microsoft Security Bulletin MS04-011) and the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (as described in Microsoft Security Bulletin MS03-026). Blocks access to several security-related Web sites by appending the following text to the hosts file: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.lycos-vds.com 127.0.0.1 t35.com 127.0.0.1 www.t35.com 127.0.0.1 t35.net 127.0.0.1 www.t35.net 127.0.0.1 funpic.org 127.0.0.1 www.funpic.org 127.0.0.1 funpic.de 127.0.0.1 www.funpic.de 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 pandasoftware.com 127.0.0.1 www.pandasoftware.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.grisoft.com 127.0.0.1 www.microsoft.com 127.0.0.1 microsoft.com 127.0.0.1 www.virustotal.com 127.0.0.1 virustotal.com ======================================== To remove all the entries that the risk added to the hosts file Navigate to the following location: Windows 95/98/Me: %Windir% Windows NT/2000/XP: %Windir%System32driversetc Notes: The location of the hosts file may vary and some computers may not have this file. There may also be multiple copies of this file in different locations. If the file is not located in these folders, search your disk drives for the hosts file, and then complete the following steps for each instance found. %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows (Windows 95/98/Me/XP) or C:Winnt (Windows NT/2000). Double-click the hosts file. If necessary, deselect the "Always use this program to open this program" check box. Scroll through the list of programs and double-click Notepad. When the file opens, delete all the entries added by the risk. (See the Technical Details section for a complete list of entries.) Close Notepad and save your changes when prompted. ======================================= To delete the value from the registry Click Start > Run. Type regedit Click OK. Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal. Navigate to the subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftOLE HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa HKEY_LOCAL_MACHINESoftwareMicrosoftOLE HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl In the right pane, delete the value: "WINTASK" = "taskfile.exe" Exit the Registry Editor. ===================================   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.