Nume:Worm/Mytob.IL
Descoperit pe data de:11/07/2005
Tip:Vierme
ITW:Da
Numar infectii raportate:Scazut spre mediu
Potential de raspandire:Mediu
Potential de distrugere:Mediu
Fisier static:Da
Marime:32.804 Bytes
MD5:0caef9bac137c033af9c5dfa37cbf2ad
Versiune IVDF:6.31.00.180 - Montag, 11. Juli 2005

 General Metode de raspandire:
   • Email
   • Reteaua locala


Alias:
   •  Mcafee: W32/Mytob.gen
   •  Sophos: W32/Mytob-DI
   •  Panda: W32/Spamta.gen.worm
   •  Eset: Win32/Mydoom.BI
   •  Bitdefender: Win32.Worm.Mytob.BT


Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere malware
   • Reduce setarile de securitate
   • Modificari in registri

 Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\M0USE.exe



Suprascrie un fisier.
– %SYSDIR%\drivers\etc\hosts

 Registrii sistemului Se adauga una din valorile urmatoare pentru fiecare cheie din registri, pentru a porni procesul dupa reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Userinterface Report3r"="M0USE.exe"



Urmatoarele chei din registri sunt modificate:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Noua valoare:
   • "Shell"="Explorer.exe M0USE.exe"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Noua valoare:
   • "Start"=dword:0x00000004

 Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:


De la:
Adresa este falsificata.
De la: Adresa expeditorului este chiar contul Outlook al utilizatorului


Catre:
– Adrese de email gasite pe sistem.
– Adrese de email obtinute din WAB (Windows Address Book)


Subiect:
Unul din urmatoarele:
   • *DETECTED* Online User Violation
   • Important Notification
   • Members Support
   • Notice of account limitation
   • Security measures
   • Warning Message: Your services near to be closed.
   • You have successfully updated your password
   • YOUR ACCOUNT IS SUSPENDED
   • Your Account is Suspended For Security Reasons
   • Your new account password is approved
   • Your password has been successfully updated
   • Your password has been updated



Corpul email-ului:
–  Corpul email-ului este gol.


Atasament:
Numele fisierului atasat este unul din urmatoarele:
   • account-details.zip
   • account-info.zip
   • account-password.zip
   • account-report.zip
   • document.zip
   • email-details.zip
   • email-password.zip
   • important-details.zip
   • iphp.zip
   • irscd.zip
   • new-password.zip
   • password.zip
   • rfb.zip
   • ums.zip
   • updated-password.zip
   • yzmeisu.zip

–  Incepe cu unul din urmatoarele:
Atasamentul este o copie malware.

 Email Cautare adrese:
Cauta adrese de email in urmatoarele fisiere:
   • wab; html; adb; tbb; dbx; php; xml; cgi; jsp; sht; htm


Genereaza adrese pentru campul destinatarului:
Pentru a genera adrese foloseste urmatoarele texte:
   • sandra; adam; frank; linda; julie; jimmy; jerry; helen; debby;
      claudia; brenda; anna; sales; brent; paul; ted; fred; jack; bill;
      stan; smith; steve; matt; dave; dan; joe; jane; bob; robert; peter;
      tom; ray; mary; serg; brian; jim; maria; leo; jose; andrew; sam;
      george; david; kevin; mike; james; michael; alex; josh; john

Combina rezultatul cu domeniile din urmatoarea lista sau cu domeniile gasite in fisierele de pe sistem.
Pentru a genera adrese foloseste urmatoarele texte:
   • accoun; certific; listserv; ntivi; support; icrosoft; admin; page;
      the.bat; gold-certs; ca; feste; submit; not; help; service; privacy;
      somebody; no; soft; contact; site; rating; bugs; me; you; your;
      someone; anyone; nothing; nobody; noone; webmaster; postmaster;
      samples; info; root



Prefixeaza domeniile adreselor de email:
Pentru a afla IP-ul serverului de mail, poate adauga inaintea domeniului urmatoarele siruri de caractere:
   • gate
   • ns
   • relay
   • mail1
   • mxs
   • mx1
   • smtp
   • mail
   • mx

 IRC Pentru a trimite informatii si pentru a fi controlat se conecteaza la serverul IRC:

Server: name.turkinti**********.com
Port: 7745
Canal: #news
Nick: ]XP[%numar%
Parola: comeon


– In plus, poate efectua urmatoarele operatii:
    • descarcare fisier
    • terminare proces
    • Se actualizeaza singur

 Fisiere host Fisierul

– In acest caz inregistrarile existente raman nemodificate.

– Accesul la urmatoarele domenii este blocat:
   • 127.0.0.1 www.symantec.com; 127.0.0.1 securityresponse.symantec.com;
      127.0.0.1 symantec.com; 127.0.0.1 www.sophos.com;
      127.0.0.1 sophos.com; 127.0.0.1 www.mcafee.com; 127.0.0.1 mcafee.com;
      127.0.0.1 liveupdate.symantecliveupdate.com;
      127.0.0.1 www.viruslist.com; 127.0.0.1 viruslist.com;
      127.0.0.1 viruslist.com; 127.0.0.1 f-secure.com;
      127.0.0.1 www.f-secure.com; 127.0.0.1 kaspersky.com;
      127.0.0.1 kaspersky-labs.com; 127.0.0.1 www.avp.com;
      127.0.0.1 www.kaspersky.com; 127.0.0.1 avp.com;
      127.0.0.1 www.networkassociates.com; 127.0.0.1 networkassociates.com;
      127.0.0.1 www.ca.com; 127.0.0.1 ca.com; 127.0.0.1 mast.mcafee.com;
      127.0.0.1 my-etrust.com; 127.0.0.1 www.my-etrust.com;
      127.0.0.1 download.mcafee.com; 127.0.0.1 dispatch.mcafee.com;
      127.0.0.1 secure.nai.com; 127.0.0.1 nai.com; 127.0.0.1 www.nai.com;
      127.0.0.1 update.symantec.com; 127.0.0.1 updates.symantec.com;
      127.0.0.1 us.mcafee.com; 127.0.0.1 liveupdate.symantec.com;
      127.0.0.1 customer.symantec.com; 127.0.0.1 rads.mcafee.com;
      127.0.0.1 trendmicro.com; 127.0.0.1 pandasoftware.com;
      127.0.0.1 www.pandasoftware.com; 127.0.0.1 www.trendmicro.com;
      127.0.0.1 www.grisoft.com; 127.0.0.1 www.microsoft.com;
      127.0.0.1 microsoft.com; 127.0.0.1 www.virustotal.com;
      127.0.0.1 virustotal.com; 127.0.0.1 www.amazon.com;
      127.0.0.1 www.amazon.co.uk; 127.0.0.1 www.amazon.ca;
      127.0.0.1 www.amazon.fr; 127.0.0.1 www.paypal.com;
      127.0.0.1 paypal.com; 127.0.0.1 moneybookers.com;
      127.0.0.1 www.moneybookers.com; 127.0.0.1 www.ebay.com;
      127.0.0.1 ebay.com


 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Die Beschreibung wurde erstellt von Petre Galan am Montag, 23. November 2009
Die Beschreibung wurde geändert von Petre Galan am Dienstag, 24. November 2009

zurück . . . .