Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Mytob.LQ
Date discovered:13/12/2012
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:26.156 Bytes
MD5 checksum:10fadc6f6dc2ff2e5b006630dd2a3952
VDF version:7.11.53.216

 General Method of propagation:
   • Email


Aliases:
   •  Kaspersky: Net-Worm.Win32.Mytob.bi
   •  TrendMicro: WORM_MYTOB.MU
   •  F-Secure: W32/Mytob.PI@mm
   •  VirusBuster: iworm I-Worm.Mytob.OC
   •  Bitdefender: Win32.Worm.MyTob.CX


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\windbg32.exe

 Registry The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "WINDOWS Debugger"="windbg32.exe"

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "WINDOWS Debugger"="windbg32.exe"



The following registry key is changed:

Deactivate Windows Firewall:
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • "Start"=dword:00000004

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.
 Email addresses gathered from WAB (Windows Address Book)
– Generated addresses


Subject:
One of the following:
   • *IMPORTANT* Winnings notification
   • Claim Your Free 4GB iPod nano!
   • Claim your free prize
   • Free Account Signup
   • Free Prize.
   • Important Notification
   • Notice of prize winnings
   • Retrive You Free iPod Nano!
   • Sending Free iPod measures
   • Shipping Address Request (YourFreeiPod.com)
   • Your Account is a winner
   • YourFreeiPod Support
   • Winnings Claim

Furthermore the subject line could contain random letters.


Body:
– Contains HTML code.
The body of the email is one of the following:

   • Dear user %username from receiver's email address%,
     You have been picked to receive a free prize!
     Check the attachment in this email for claiming your prize.
     Thank you
     The YourFreeiPod Team
     +++ Attachment: No Virus (Clean)
     +++ %recipient's domain% Antivirus - www.%receiver's domain name from email address%

   • Dear user %username from receiver's email address%,
     It has come to our attention that your one of five winners this month from YourFreeiPod.com
     Please see the attachment in the email for further details.
     Thank you for using YourFreeiPod.com!
     The YourFreeiPod Team
     +++ Attachment: No Virus (Clean)
     +++ %recipient's domain% Antivirus - www.%receiver's domain name from email address%
     

   • Dear %recipient's domain% Member,
     Please claim your free iPod Movie mediaplayer
     Us here at YourFreeiPod.com like to treat our members so we give away a free iPod every month.
     Attached to this email is the details on how you can claim your prize
     Sincerely,The YourFreeiPod Team
     +++ Attachment: No Virus (Clean)
     +++ %recipient's domain% Antivirus - www.%receiver's domain name from email address%
     

   • Dear %recipient's domain% Member,
     Your e-mail account was picked from an online site www.YourFreeiPod.com. Since we did pull your name from the hat you are intitled to receive FREE 4GB Black iPod Nano.
     Please read the attachment in this email for further instructions. If you choose to ignore our request, you leave us no choice but to forfeit your winnings.
     Virtually yours,
     The YourFreeiPod Team
     +++ Attachment: No Virus found Scanned with Nod32
     +++ %recipient's domain% Antivirus - www.%receiver's domain name from email address%


Attachment:
The filename of the attachment is one of the following:
   • accept-terms.zip
   • claim-infomation.zip
   • claim-prize.zip
   • document.zip
   • fat.zip
   • important-details.zip
   • merchandise.zip
   • readme.zip
   • ship-prize.zip
   • shipping-details.zip
   • terms.zip
   • winner-details.zip
   • winnings-report.zip

The attachment is an archive containing a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .wab; .adb; .tbb; .dbx; .asp; .php; .sht; .htm; .html; .pl; .txt;
      .xml; .cgi; .jsp


Address generation for FROM field:
To generate addresses it uses the following strings:
   • admin
   • administrator
   • info
   • mail
   • register
   • service
   • support
   • webmaster

It combines the result with domains that were found in files, which were previously searched for addresses.


Address generation for TO field:
To generate addresses it uses the following strings:
   • adam; alex; andrew; anna; bill; bob; bob; brenda; brent; brian;
      claudia; dan; dave; david; debby; frank; fred; george; helen; jack;
      james; jane; jerry; jim; jimmy; joe; john; jose; josh; julie; kevin;
      leo; linda; maria; mary; matt; michael; michael; mike; paul; peter;
      ray; robert; sales; sam; sandra; serg; smith; stan; steve; ted; tom

It combines the result with domains that were found in files, which were previously searched for addresses.


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • .gov; .mil; abuse; accoun; acketst; admin; admin; administrator;
      anyone; arin.; avp; berkeley; borlan; bsd; bsd; bugs; certific;
      contact; example; fcnz; feste; fido; foo.; fsf.; gnu; gold-certs;
      google; google; gov.; help; hotmail; iana; ibm.com; icrosof; icrosoft;
      ietf; info; info; inpris; isc.o; isi.e; kernel; linux; linux;
      listserv; mail; math; mit.e; mozilla; msn.; mydomai; nobody; nodomai;
      noone; not; nothing; ntivi; page; panda; pgp; postmaster; privacy;
      rating; register; rfc-ed; ripe.; root; ruslis; samples; secur; secur;
      sendmail; service; service; site; soft; somebody; someone; sopho; spm;
      submit; support; support; syma; tanford.e; the.bat; unix; unix;
      usenet; utgers.ed; webmaster; webmaster; www; you; your


Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • mx.
   • mail.
   • smtp.
   • mx1.
   • mxs.
   • mail1.
   • relay.
   • ns.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: tx.h**********.info
Port: 59999
Channel: #iPod
Nickname: %random character string%
Password: iPod



 This malware has the ability to collect and send information such as:
    • Free memory
    • Malware uptime
    • Size of memory
    • Username
    • Information about the Windows operating system


 Furthermore it has the ability to perform actions such as:
     disconnect from IRC server
    • Download file
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Send emails
     Updates itself

 Miscellaneous Mutex:
It creates the following Mutex:
   • iPod

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Daniel Constantin on Monday, December 12, 2005
Description updated by Daniel Constantin on Tuesday, December 13, 2005

Back . . . .