|
Friday, 25 March 2005 |
W32.Mytob.J@mm is a mass-mailing worm that has back door capabilities and uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.
The worm spreads through the network by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
Type: Worm
Infection Length: 69,632 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Mytob.J@mm is executed, it performs the following actions:
Copies itself as %System% askgmr.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Drops the file %SystemDrive%hellmsn.exe which then creates the following copies of the worm:
%SystemDrive%FUNNY_PIC.SCR
%SystemDrive%MY_PHOTO2005.SCR
%SystemDrive%SEE_THIS!!.SCR
Note: %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
Adds the value:
"WINTASK" = "taskgmr.exe"
to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
HKEY_LOCAL_MACHINESoftwareMicrosoftOle
HKEY_CURRENT_USERSoftwareMicrosoftOle
so that W32.Mytob.J@mm runs every time Windows starts.
Gathers email addresses from the Windows Address Book and from the following locations:
%Windir%Temporary Internet Files
%Userprofile%Local SettingsTemporary Internet Files
Notes:
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
%UserProfile% is a variable that refers to the current users profile folder. By default, this is C:Documents and Settings (Windows NT/2000/XP)
Gathers email addresses from files with the following extensions:
.adb
.asp
.dbx
.htm
.php
.pl
.sht
.tbb
.txt
.wab
The worm will not send itself to email addresses that contain any of the following strings:
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
you
your
Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:
From:
From address is spoofed.
The name is created from the following name list:
adam
alex
andrew
anna
bill
bob
brenda
brent
brian
britney
bush
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
lolita
madmax
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom
The name is followed by one of these domains:
aol.com
cia.gov
fbi.gov
hotmail.com
juno.com
msn.com
yahoo.com
Subject:
Subject is one of the following:
Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
(No Subject)
(random letters)
Message:
Message is one of the following:
Here are your banks documents.
The original message was included as an attachments.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
(No body)
(Random data)
Attachment:
The attachment may contain one of the following:
document
readme
doc
text
file
data
test
message
body
(random letters)
with one of the following extensions:
.bat
.cmd
.exe
.pif
.scr
.zip
If the attachment is a .zip file, the copy of the worm may have one of the following second extensions:
.doc
.txt
.htm
.html
Starts an FTP server on a random TCP port.
Connects to the IRC channel #hellbot2 on the irc.blackcarder.net domain and listen for commands that allow the remote attacker to perform some of the following actions:
Download files
Execute files
Restart system
IRC commands as directed by the remote attacker
May scan for vulnerable computers and try to exploit the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
Blocks access to several security-related Web sites by appending the following text to the Hosts file:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
To delete the value from the registry
Click Start > Run.
Type regedit
Then click OK.
Navigate to the subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
HKEY_LOCAL_MACHINESoftwareMicrosoftOle
HKEY_CURRENT_USERSoftwareMicrosoftOle
In the right pane, delete the value:
"WINTASK" = "taskgmr.exe"
Exit the Registry Editor.
|
