Virus:TR/Drop.LZ.1
Date discovered:23/09/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:53.248 Bytes
MD5 checksum:de66d1fb8c7054dd99f7977820180cad
VDF version:6.32.0.40

 General Aliases:
   •  Symantec: W32.Mytob.GM@mm
   •  TrendMicro: WORM_MYTOB.KO
   •  F-Secure: W32/Mytob.LW@mm
   •  VirusBuster: I-Worm.Mytob.LQ
   •  Bitdefender: Win32.Worm.Mytob.KO


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Uses its own Email engine
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\LienVandeKelder.exe

 Registry The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "http://www.lienvandekelder.com/"="LienVandeKelder.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "http://www.lienvandekelder.com/"="LienVandeKelder.exe"



The following registry key is changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

 Email It contains an integrated SMTP engine in order to send Spam emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Generated addresses


Subject:
The following:
   • Account Alert

Furthermore the subject line could contain random letters.


Body:
– Contains HTML code.

   • Dear Valued Member,
     
     According to our terms of services, you will have to confirm your e-mail by the following link or your account will be suspended within 24 hours for security reasons.
     
     http://www.%receiver's email address%./confirm.php?email=%receiver's domain name and top level domain from email address%
     
     After following the instructions in the sheet, your account will not be interrupted and will continue as normal.
     
     Thanks for your attention to this request. We apologize for any inconvenience.
     
     Sincerely,%receiver's domain name from email address% Security Department



The email looks like the following:


 Mailing Search addresses:
It searches the following files for email addresses:
   • txt; htm; sht; jsp; cgi; xml; php; asp; dbx; tbb; adb; wab


Address generation for TO field:
To generate addresses it uses the following strings:
   • john; john; alex; michael; james; mike; kevin; david; george; sam;
      andrew; jose; leo; maria; jim; brian; serg; mary; ray; tom; peter;
      robert; bob; jane; joe; dan; dave; matt; steve; smith; stan; bill;
      bob; jack; fred; ted; adam; brent; alice; anna; brenda; claudia;
      debby; helen; jerry; jimmy; julie; linda; sam

It combines the result with domains that were found in files, which were previously searched for addresses.


Address generation for FROM field:
To generate addresses it uses the following string:
   • Admin

It combines the result with domains that were found in files, which were previously searched for addresses.


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • avp; syma; icrosof; msn.; hotmail; panda; sopho; borlan; inpris;
      example; mydomai; nodomai; ruslis; .gov; gov.; .mil; foo.; berkeley;
      unix; math; bsd; mit.e; gnu; fsf.; ibm.com; google; kernel; linux;
      fido; usenet; iana; ietf; rfc-ed; sendmail; arin.; ripe.; isi.e;
      isc.o; secur; acketst; pgp; tanford.e; utgers.ed; mozilla; be_loyal:;
      root; info; samples; postmaster; webmaster; noone; nobody; nothing;
      anyone; someone; your; you; bugs; rating; site; contact; soft;
      somebody; privacy; service; help; not; submit; feste; gold-certs;
      the.bat; page; admin; icrosoft; support; ntivi; unix; bsd; linux;
      listserv; certific; google; accoun; spm; fcnz; www; secur; abuse;
      admin

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 152.23.**********
Port: 4891
Channel: #new
Nickname: {LVDK}-%six-digit random character string%
Password: c00l



– This malware has the ability to collect and send information such as:
    • Free memory
    • Malware uptime


– Furthermore it has the ability to perform actions such as:
    • disconnect from IRC server
    • Download file
    • Send emails
    • Start spreading routine
    • Upload file

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   • 127.0.0.1 www.symantec.com; 127.0.0.1 securityresponse.symantec.com;
      127.0.0.1 symantec.com; 127.0.0.1 www.sophos.com;
      127.0.0.1 sophos.com; 127.0.0.1 www.mcafee.com; 127.0.0.1 mcafee.com;
      127.0.0.1 www.glwb.info; 127.0.0.1 glwb.info;
      127.0.0.1 www.viruslist.com; 127.0.0.1 viruslist.com;
      127.0.0.1 www.cert.org; 127.0.0.1 cert.org; 127.0.0.1 f-secure.com;
      127.0.0.1 www.f-secure.com; 127.0.0.1 kaspersky.com;
      127.0.0.1 www.kaspersky.com; 127.0.0.1 kaspersky-labs.com;
      127.0.0.1 www.kaspersky-labs.com; 127.0.0.1 www.clamav.net;
      127.0.0.1 clamav.net; 127.0.0.1 www.avp.com; 127.0.0.1 avp.com;
      127.0.0.1 www.networkassociates.com; 127.0.0.1 networkassociates.com;
      127.0.0.1 www.sarc.com; 127.0.0.1 sarc.com;
      127.0.0.1 www.farvista.net; 127.0.0.1 farvista.net;
      127.0.0.1 www.ca.com; 127.0.0.1 ca.com; 127.0.0.1 www.free-av.com;
      127.0.0.1 free-av.com; 127.0.0.1 www.f-prot.com; 127.0.0.1 f-prot.com;
      127.0.0.1 pandasoftware.com; 127.0.0.1 www.pandasoftware.com;
      127.0.0.1 mast.mcafee.com; 127.0.0.1 my-etrust.com;
      127.0.0.1 www.my-etrust.com; 127.0.0.1 www.avast.com;
      127.0.0.1 avast.com; 127.0.0.1 download.mcafee.com;
      127.0.0.1 dispatch.mcafee.com; 127.0.0.1 secure.nai.com;
      127.0.0.1 nai.com; 127.0.0.1 www.nai.com;
      127.0.0.1 update.symantec.com; 127.0.0.1 updates.symantec.com;
      127.0.0.1 us.mcafee.com; 127.0.0.1 customer.symantec.com;
      127.0.0.1 rads.mcafee.com; 127.0.0.1 trendmicro.com;
      127.0.0.1 www.trendmicro.com; 127.0.0.1 housecall.trendmicro.com;
      127.0.0.1 grisoft.com; 127.0.0.1 www.grisoft.com;
      127.0.0.1 free.grisoft.com; 127.0.0.1 www.microsoft.com;
      127.0.0.1 update.microsoft.com; 127.0.0.1 windowsupdate.microsoft.com;
      127.0.0.1 microsoft.com; 127.0.0.1 www.virustotal.com;
      127.0.0.1 virustotal.com




The modified host file will look like this:


 Process termination List of processes that are terminated:
   • ACKWIN32.EXE; ADAWARE.EXE; ADVXDWIN.EXE; AGENTSVR.EXE; AGENTW.EXE;
      ALERTSVC.EXE; ALEVIR.EXE; ALOGSERV.EXE; AMON9X.EXE; ANTI-TROJAN.EXE;
      ANTIVIRUS.EXE; ANTS.EXE; APIMONITOR.EXE; APLICA32.EXE; APVXDWIN.EXE;
      ARR.EXE; ATCON.EXE; ATGUARD.EXE; ATRO55EN.EXE; ATUPDATER.EXE;
      ATUPDATER.EXE; ATWATCH.EXE; AU.EXE; AUPDATE.EXE; AUPDATE.EXE;
      AUTODOWN.EXE; AUTODOWN.EXE; AUTOTRACE.EXE; AUTOTRACE.EXE;
      AUTOUPDATE.EXE; AUTOUPDATE.EXE; AVCONSOL.EXE; AVE32.EXE; AVGCC32.EXE;
      AVGCTRL.EXE; AVGNT.EXE; AVGSERV.EXE; AVGSERV9.EXE; AVGUARD.EXE;
      AVGW.EXE; AVKPOP.EXE; AVKSERV.EXE; AVKSERVICE.EXE; AVKWCTl9.EXE;
      AVLTMAIN.EXE; AVNT.EXE; AVP.EXE; AVP32.EXE; AVPCC.EXE; AVPDOS32.EXE;
      AVPM.EXE; AVPTC32.EXE; AVPUPD.EXE; AVPUPD.EXE; AVSCHED32.EXE;
      AVSYNMGR.EXE; AVWINNT.EXE; AVWUPD.EXE; AVWUPD32.EXE; AVWUPD32.EXE;
      AVWUPSRV.EXE; AVXMONITOR9X.EXE; AVXMONITORNT.EXE; AVXQUAR.EXE;
      AVXQUAR.EXE; BACKWEB.EXE; BARGAINS.EXE; BD_PROFESSIONAL.EXE;
      BEAGLE.EXE; BELT.EXE; BIDEF.EXE; BIDSERVER.EXE; BIPCP.EXE;
      BIPCPEVALSETUP.EXE; BISP.EXE; BLACKD.EXE; BLACKICE.EXE; BLSS.EXE;
      BOOTCONF.EXE; BOOTWARN.EXE; BORG2.EXE; BPC.EXE; BRASIL.EXE; BS120.EXE;
      BUNDLE.EXE; BVT.EXE; CCAPP.EXE; CCEVTMGR.EXE; CCPXYSVC.EXE; CDP.EXE;
      CFD.EXE; CFGWIZ.EXE; CFIADMIN.EXE; CFIAUDIT.EXE; CFIAUDIT.EXE;
      CFINET.EXE; CFINET32.EXE; CLEAN.EXE; CLEANER.EXE; CLEANER3.EXE;
      CLEANPC.EXE; CLICK.EXE; CMD32.EXE; CMESYS.EXE; CMGRDIAN.EXE;
      CMON016.EXE; CONNECTIONMONITOR.EXE; CPD.EXE; CPF9X206.EXE;
      CPFNT206.EXE; CTRL.EXE; CV.EXE; CWNB181.EXE; CWNTDWMO.EXE;
      CLAW95CF.EXE; DATEMANAGER.EXE; DCOMX.EXE; DEFALERT.EXE;
      DEFSCANGUI.EXE; DEFWATCH.EXE; DEPUTY.EXE; DIVX.EXE; DLLCACHE.EXE;
      DLLREG.EXE; DOORS.EXE; DPF.EXE; DPFSETUP.EXE; DPPS2.EXE; DRWATSON.EXE;
      DRWEB32.EXE; DRWEBUPW.EXE; DSSAGENT.EXE; DVP95.EXE; DVP95_0.EXE;
      ECENGINE.EXE; EFPEADM.EXE; EMSW.EXE; ENT.EXE; ESAFE.EXE; ESCANHNT.EXE;
      ESCANV95.EXE; ESPWATCH.EXE; ETHEREAL.EXE; ETRUSTCIPE.EXE; EVPN.EXE;
      EXANTIVIRUS-CNET.EXE; EXE.AVXW.EXE; EXPERT.EXE; EXPLORE.EXE;
      F-PROT.EXE; F-PROT95.EXE; F-STOPW.EXE; FAMEH32.EXE; FAST.EXE;
      FCH32.EXE; FIH32.EXE; FINDVIRU.EXE; FIREWALL.EXE; FNRB32.EXE;
      FP-WIN.EXE; FP-WIN_TRIAL.EXE; FPROT.EXE; FRW.EXE; FSAA.EXE; FSAV.EXE;
      FSAV32.EXE; FSAV530STBYB.EXE; FSAV530WTBYB.EXE; FSAV95.EXE;
      FSGK32.EXE; FSM32.EXE; FSMA32.EXE; FSMB32.EXE; GATOR.EXE; GBMENU.EXE;
      GBPOLL.EXE; GENERICS.EXE; GMT.EXE; GUARD.EXE; GUARDDOG.EXE;
      HACKTRACERSETUP.EXE; HBINST.EXE; HBSRV.EXE; HOTACTIO.EXE;
      HOTPATCH.EXE; HTLOG.EXE; HTPATCH.EXE; HWPE.EXE; HXDL.EXE; HXIUL.EXE;
      IAMAPP.EXE; IAMSERV.EXE; IAMSTATS.EXE; IBMASN.EXE; IBMAVSP.EXE;
      ICLOADNT.EXE; ICMON.EXE; ICSUPP95.EXE; ICSUPPNT.EXE; IDLE.EXE;
      IEDLL.EXE; IEDRIVER.EXE; IEXPLORER.EXE; IFACE.EXE; IFW2000.EXE;
      INETLNFO.EXE; INFUS.EXE; INFWIN.EXE; INIT.EXE; INTDEL.EXE; INTREN.EXE;
      IOMON98.EXE; ISTSVC.EXE; JAMMER.EXE; JDBGMRG.EXE; JEDI.EXE;
      KAVLITE40ENG.EXE; KAVPERS40ENG.EXE; KAVPF.EXE; KAZZA.EXE;
      KEENVALUE.EXE; KERIO-PF-213-EN-WIN.EXE; KERIO-WRL-421-EN-WIN.EXE;
      KERIO-WRP-421-EN-WIN.EXE; KERNEL32.EXE; KILLPROCESSSETUP161.EXE;
      LAUNCHER.EXE; LDNETMON.EXE; LDPRO.EXE; LDPROMENU.EXE; LDSCAN.EXE;
      LNETINFO.EXE; LOADER.EXE; LOCALNET.EXE; LOCKDOWN.EXE;
      LOCKDOWN2000.EXE; LOOKOUT.EXE; LORDPE.EXE; LSETUP.EXE; LUALL.EXE;
      LUALL.EXE; LUAU.EXE; LUCOMSERVER.EXE; LUINIT.EXE; LUSPT.EXE;
      MAPISVC32.EXE; MCAGENT.EXE; MCMNHDLR.EXE; MCSHIELD.EXE; MCTOOL.EXE;
      MCUPDATE.EXE; MCUPDATE.EXE; MCVSRTE.EXE; MCVSSHLD.EXE; MD.EXE;
      MFIN32.EXE; MFW2EN.EXE; MFWENG3.02D30.EXE; MGAVRTCL.EXE; MGAVRTE.EXE;
      MGHTML.EXE; MGUI.EXE; MINILOG.EXE; MMOD.EXE; MONITOR.EXE; MOOLIVE.EXE;
      MOSTAT.EXE; MPFAGENT.EXE; MPFSERVICE.EXE; MPFTRAY.EXE; MRFLUX.EXE;
      MSAPP.EXE; MSBB.EXE; MSBLAST.EXE; MSCACHE.EXE; MSCCN32.EXE;
      MSCMAN.EXE; MSCONFIG.EXE; MSDM.EXE; MSDOS.EXE; MSIEXEC16.EXE;
      MSINFO32.EXE; MSLAUGH.EXE; MSMGT.EXE; MSMSGRI32.EXE; MSSMMC32.EXE;
      MSSYS.EXE; MSVXD.EXE; MU0311AD.EXE; MWATCH.EXE; N32SCANW.EXE; NAV.EXE;
      AUTO-PROTECT.NAV80TRY.EXE; NAVAP.NAVAPSVC.EXE; NAVAPSVC.EXE;
      NAVAPW32.EXE; NAVDX.EXE; NAVLU32.EXE; NAVNT.EXE; NAVSTUB.EXE;
      NAVW32.EXE; NAVWNT.EXE; NC2000.EXE; NCINST4.EXE; NDD32.EXE;
      NEOMONITOR.EXE; NEOWATCHLOG.EXE; NETARMOR.EXE; NETD32.EXE;
      NETINFO.EXE; NETMON.EXE; NETSCANPRO.EXE; NETSPYHUNTER-1.2.EXE;
      NETSTAT.EXE; NETUTILS.EXE; NISSERV.EXE; NISUM.EXE; NMAIN.EXE;
      NOD32.EXE; NORMIST.EXE; NORTON_INTERNET_SECU_3.0_407.EXE;
      NOTSTART.EXE; NPF40_TW_98_NT_ME_2K.EXE; NPFMESSENGER.EXE;
      NPROTECT.EXE; NPSCHECK.EXE; NPSSVC.EXE; NSCHED32.EXE; NSSYS32.EXE;
      NSTASK32.EXE; NSUPDATE.EXE; NT.EXE; NTRTSCAN.EXE; NTVDM.EXE;
      NTXconfig.EXE; NUI.EXE; NUPGRADE.EXE; NUPGRADE.EXE; NVARCH16.EXE;
      NVC95.EXE; NVSVC32.EXE; NWINST4.EXE; NWSERVICE.EXE; NWTOOL16.EXE;
      OLLYDBG.EXE; ONSRVR.EXE; OPTIMIZE.EXE; OSTRONET.EXE; OTFIX.EXE;
      OUTPOST.EXE; OUTPOST.EXE; OUTPOSTINSTALL.EXE; OUTPOSTPROINSTALL.EXE;
      PADMIN.EXE; PANIXK.EXE; PATCH.EXE; PAVCL.EXE; PAVPROXY.EXE;
      PAVSCHED.EXE; PAVW.EXE; PCFWALLICON.EXE; PCIP10117_0.EXE; PCSCAN.EXE;
      PDSETUP.EXE; PERISCOPE.EXE; PERSFW.EXE; PERSWF.EXE; PF2.EXE;
      PFWADMIN.EXE; PGMONITR.EXE; PINGSCAN.EXE; PLATIN.EXE; POP3TRAP.EXE;
      POPROXY.EXE; POPSCAN.EXE; PORTDETECTIVE.EXE; PORTMONITOR.EXE;
      POWERSCAN.EXE; PPINUPDT.EXE; PPTBC.EXE; PPVSTOP.EXE; PRIZESURFER.EXE;
      PRMT.EXE; PRMVR.EXE; PROCDUMP.EXE; PROCESSMONITOR.EXE;
      PROCEXPLORERV1.0.EXE; PROGRAMAUDITOR.EXE; PROPORT.EXE; PROTECTX.EXE;
      PSPF.EXE; PURGE.EXE; QCONSOLE.EXE; QSERVER.EXE; RAPAPP.EXE; RAV7.EXE;
      RAV7WIN.EXE; RAV8WIN32ENG.EXE; RAY.EXE; RB32.EXE; RCSYNC.EXE;
      REALMON.EXE; REGED.EXE; REGEDIT.EXE; REGEDT32.EXE; RESCUE.EXE;
      RESCUE32.EXE; RRGUARD.EXE; RSHELL.EXE; RTVSCAN.EXE; RTVSCN95.EXE;
      RULAUNCH.EXE; RUN32DLL.EXE; RUNDLL.EXE; RUNDLL16.EXE; RUXDLL32.EXE;
      SAFEWEB.EXE; SAHAGENT.EXE; SAVE.EXE; SAVENOW.EXE; SBSERV.EXE; SC.EXE;
      SCAM32.EXE; SCAN32.EXE; SCAN95.EXE; SCANPM.EXE; SCRSCAN.EXE;
      SETUPVAMEEVAL.EXE; SETUP_FLOWPROTECTOR_US.EXE; SFC.EXE; SGSSFW32.EXE;
      SH.EXE; SHELLSPYINSTALL.EXE; SHN.EXE; SHOWBEHIND.EXE; SMC.EXE;
      SMS.EXE; SMSS32.EXE; SOAP.EXE; SOFI.EXE; SPERM.EXE; SPF.EXE;
      SPHINX.EXE; SPOLER.EXE; SPOOLCV.EXE; SPOOLSV32.EXE; SPYXX.EXE;
      SREXE.EXE; SRNG.EXE; SS3EDIT.EXE; SSGRATE.EXE; SSG_4104.EXE; ST2.EXE;
      START.EXE; STCLOADER.EXE; SUPFTRL.EXE; SUPPORT.EXE; SUPPORTER5.EXE;
      SVC.EXE; SVCHOSTC.EXE; SVCHOSTS.EXE; SVSHOST.EXE; SWEEP95.EXE;
      SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE; SYMPROXYSVC.EXE; SYMTRAY.EXE;
      SYSEDIT.EXE; SYSTEM.EXE; SYSTEM32.EXE; SYSUPD.EXE; TASKMG.EXE;
      TASKMO.EXE; TASKMON.EXE; TAUMON.EXE; TBSCAN.EXE; TC.EXE; TCA.EXE;
      TCM.EXE; TDS-3.EXE; TDS2-NT.EXE; TEEKIDS.EXE; TFAK.EXE; TFAK5.EXE;
      TGBOB.EXE; TITANIN.EXE; TITANINXP.EXE; TRACERT.EXE; TRICKLER.EXE;
      TRJSCAN.EXE; TRJSETUP.EXE; TROJANTRAP3.EXE; TSADBOT.EXE; TVMD.EXE;
      TVTMD.EXE; UNDOBOOT.EXE; UPDAT.EXE; UPDATE.EXE; UPDATE.EXE;
      UPGRAD.EXE; UTPOST.EXE; VBCMSERV.EXE; VBCONS.EXE; VBUST.EXE;
      VBWIN9X.EXE; VBWINNTW.EXE; VCSETUP.EXE; VET32.EXE; VET95.EXE;
      VETTRAY.EXE; VFSETUP.EXE; VIR-HELP.EXE; VIRUSMDPERSONALFIREWALL.EXE;
      VNLAN300.EXE; VNPC3000.EXE; VPC32.EXE; VPC42.EXE; VPFW30S.EXE;
      VPTRAY.EXE; VSCAN40.EXE; VSCENU6.02D30.EXE; VSCHED.EXE; VSECOMR.EXE;
      VSHWIN32.EXE; VSISETUP.EXE; VSMAIN.EXE; VSMON.EXE; VSSTAT.EXE;
      VSWIN9XE.EXE; VSWINNTSE.EXE; VSWINPERSE.EXE; W32DSM89.EXE; W9X.EXE;
      WATCHDOG.EXE; WEBDAV.EXE; WEBSCANX.EXE; WEBTRAP.EXE; WFINDV32.EXE;
      WHOSWATCHINGME.EXE; WIMMUN32.EXE; WIN-BUGSFIX.EXE; WIN32.EXE;
      WIN32US.EXE; WINACTIVE.EXE; WINDOW.EXE; WINDOWS.EXE; WININETD.EXE;
      WININIT.EXE; WININITX.EXE; WINLOGIN.EXE; WINMAIN.EXE; WINNET.EXE;
      WINPPR32.EXE; WINRECON.EXE; WINSERVN.EXE; WINSSK32.EXE; WINSTART.EXE;
      WINSTART001.EXE; WINTSK32.EXE; WINUPDATE.EXE; WKUFIND.EXE; WNAD.EXE;
      WNT.EXE; WRADMIN.EXE; WRCTRL.EXE; WSBGATE.EXE; WUPDATER.EXE;
      WUPDT.EXE; WYVERNWORKSFIREWALL.EXE; XPF202EN.EXE; ZAPRO.EXE;
      ZAPSETUP3001.EXE; ZATUTOR.EXE; ZONALM2601.EXE; ZONEALARM.EXE;
      _AVP32.EXE; _AVPCC.EXE; _AVPM.EXE; TASKMGR.EXE; NEC.EXE


 Miscellaneous Mutex:
It creates the following Mutex:
   • LienVandeKelder

Description inserted by Razvan Olteanu on Monday, September 26, 2005
Description updated by Razvan Olteanu on Thursday, September 29, 2005

Back . . . .