|
Saturday, 30 July 2005 |
Malware type: Worm
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows NT, 2000, XP, Server 2003
Encrypted: No
Characteristics: Propagates via email, Propagates via network shares, Propagates via software vulnerabilities
Description:
This worm drops a file that Trend Micro detects as WORM_MYTOB.J. It modifies the registry to ensure its automatic execution at every Windows startup.
This worm propagates by attaching a copy of itself to email messages that it sends via its own Simple Mail Transfer Protocol (SMTP) engine. The email that it sends has the following details:
Subject: (any of the following)
? Error
? Good day
? hello
? Mail Delivery System
? Mail Transaction Fail
? Server Report
? Status
Message body: (any of the following)
? Here are your banks document.
? Mail Transaction failed. Partial message is available.
? The message cannot be represented in 7-bit ASCII encoding and has been sent as binary attachment.
? The message contains Unicode characters and has been sent as a binary attachement.
? The original message was included as an attachment.
Attachment: (any of the following)
? data
? doc
? document
? file
? hate
? Important
? joke
? readme
? sec
? txt
The attachment file may have any of the following extension names:
? BAT
? CMD
? EXE
? PIF
? SCR
? ZIP
This worm also propagates via network shares. It searches for available shared folders within a network, and drops a copy of itself on these shares. It also generates random IP addresses, and drops a copy of itself in the default shares of the target addresses.
It also exploits the Windows LSASS vulnerability. For more information about this vulnerability, please see this page:
Microsoft Security Bulletin MS04-011
This worm has backdoor capabilities. It connects to an Internet Relay Chat (IRC) server and joins a channel. Once connected, it listens for commands coming from a remote malicious user, and it executes these commands on the affected system.
It also modifies the HOSTS file to prevent access to several Web sites. Trend Micro detects the modified HOSTS file as DOS_AGOBOT.GEN.
|
