Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:13/12/2012
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:No
File size:118.784 Bytes
VDF version:

 General Method of propagation:
   • Email

   •  Kaspersky:
   •  TrendMicro: WORM_MYTOB.LY

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP

Side effects:
   • Blocks access to security websites
   • Disable security applications
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\mshotmon.exe

It copies itself within an archive to the following location:
   • %TEMPDIR%\tmp%hex number%.tmp

 Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\software\microsoft\windows\currentversion\run
   • "microsoft hotmail monitor"="mshotmon.exe"

– HKLM\software\microsoft\windows\currentversion\runservices
   • "microsoft hotmail monitor"="mshotmon.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.

– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Generated addresses

One of the following:
   • "README"

Furthermore the subject line could contain random letters.

– Contains HTML code.
The body of the email is one of the following:

   • Dear user %receiver's email address%,
     It has come to our attention that your %sender's domain%
      User Profile ( x ) records are out of date. For further details see the attached document.
     Thank you for using %sender's domain%!
     The %sender's domain% Support Team
     +++ Attachment: No Virus (Clean)
     +++ %sender's domain% Antivirus - %sender's domain%

   • Dear %sender's domain% Member,
     Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
     If you choose to ignore our request, you leave us no choice but to cancel your membership.
     Virtually yours,
     The %sender's domain% Support Team
     +++ Attachment: No Virus found
     +++ %sender's domain% Antivirus - %sender's domain%

   • Dear %sender's domain% Member,
     We have temporarily suspended your email account %receiver's email address% .
     This might be due to either of the following reasons:
     1. A recent change in your personal information (i.e. change of address).
     2. Submiting invalid information during the initial sign up process.
     3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
     See the details to reactivate your %sender's domain% account.
     Sincerely,The %sender's domain% Support Team
     +++ Attachment: No Virus (Clean)
     +++ %sender's domain% Antivirus - %sender's domain%

   • Dear user %username from receiver's email address%,
     You have successfully updated the password of your %sender's domain% account.
     If you did not authorize this change or if you need assistance with your account, please contact %sender's domain% customer service at: info@%sender's domain%
     Thank you for using %sender's domain% !
     The %sender's domain% Support Team

The filename of the attachment is one of the following:

The attachment is a copy of the malware itself.

The email may look like one of the following:

 Mailing Search addresses:
It searches the following files for email addresses:
   • txt; htm; sht; jsp; cgi; xml; php; asp; dbx; tbb; adb; html; wab

Address generation for FROM field:
To generate addresses it uses the following strings:
   • "john"; "josh"; "alex"; "michael"; "james"; "mike"; "kevin"; "david";
      "george"; "sam"; "andrew"; "jose"; "leo"; "maria"; "jim"; "brian";
      "serg"; "mary"; "ray"; "tom"; "peter"; "robert"; "bob"; "jane"; "joe";
      "dan"; "dave"; "matt"; "steve"; "smith"; "stan"; "bill"; "bob";
      "jack"; "fred"; "ted"; "paul"; "brent"; "sales"; "anna"; "brenda";
      "claudia"; "debby"; "helen"; "jerry"; "jimmy"; "julie"; "linda";
      "michael"; "frank"; "adam"; "sandra"; "support"; "administrator";
      "mail"; "service"; "admin"; "info"; "register"; "webmaster"

It combines the result with domains that were found in files, which were previously searched for addresses.

Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • "berkeley"; "unix"; "math"; "bsd"; "mit.e"; "gnu"; "fsf."; "";
      "google"; "kernel"; "linux"; "fido"; "usenet"; "iana"; "ietf";
      "rfc-ed"; "sendmail"; "arin."; "ripe."; "isi.e"; "isc.o"; "secur";
      "acketst"; "pgp"; "tanford.e"; "utgers.ed"; "mozilla"; "avp"; "syma";
      "icrosof"; "msn."; "hotmail"; "panda"; "sopho"; "borlan"; "inpris";
      "example"; "mydomai"; "nodomai"; "ruslis"; ".gov"; "gov."; ".mil";
      "foo."; "spm"; "fcnz"; "www"; "secur"; "abuse"; "admin"; "icrosoft";
      "support"; "ntivi"; "unix"; "bsd"; "linux"; "listserv"; "certific";
      "google"; "accoun"; "root"; "info"; "samples"; "postmaster";
      "webmaster"; "noone"; "nobody"; "nothing"; "anyone"; "someone";
      "your"; "you"; "bugs"; "rating"; "site"; "contact"; "soft";
      "somebody"; "privacy"; "service"; "help"; "not"; "submit"; "feste";
      "gold-certs"; "the.bat"; "page"

Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • mx.
   • mail.
   • smtp.
   • mx1.
   • mxs.
   • mail1.
   • relay.
   • ns.
   • gate.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Port: 4367
Channel: ilikeboys

– This malware has the ability to collect and send information such as:
    • CPU speed
    • Free memory
    • Platform ID

– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file
    • Send emails
    • Terminate malware
    • Updates itself

 Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains is effectively blocked:

The modified host file will look like this:

 Process termination List of processes that are terminated:
      "FSAV530WTBYB.EXE"; "FSAV95.EXE"; "FSGK32.EXE"; "FSM32.EXE";
      "MU0311AD.EXE"; "MWATCH.EXE"; "N32SCANW.EXE"; "NAV.EXE";
      "NAVSTUB.EXE"; "NAVW32.EXE"; "NAVWNT.EXE"; "NC2000.EXE";
      "NVARCH16.EXE"; "NVC95.EXE"; "NVSVC32.EXE"; "NWINST4.EXE";
      "SBSERV.EXE"; "SC.EXE"; "SCAM32.EXE"; "SCAN32.EXE"; "SCAN95.EXE";
      "SSG_4104.EXE"; "ST2.EXE"; "START.EXE"; "STCLOADER.EXE";
      "TBSCAN.EXE"; "TC.EXE"; "TCA.EXE"; "TCM.EXE"; "TDS-3.EXE";
      "VNPC3000.EXE"; "VPC32.EXE"; "VPC42.EXE"; "VPFW30S.EXE"; "VPTRAY.EXE";

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PE-Crypt

Description inserted by Sergiu Oprea on Monday, October 31, 2005
Description updated by Sergiu Oprea on Wednesday, November 9, 2005

Back . . . .