Virus:Worm/Mytob.EU.1
Date discovered:10/07/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low
Static file:Yes
File size:61.440 Bytes
MD5 checksum:7f190C5c0271904bdf0D26ccec0B3b53
VDF version:6.35.00.142

 General Method of propagation:
   • Email


Alias:
   •  Kaspersky: Net-Worm.Win32.Mytob.eu


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine


Right after execution the following information is displayed:

The picture has been edited for display purpose.

 Files The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\tmp%hex number%.tmp

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
The sender address is the user's Outlook account.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Generated addresses


Subject:
One of the following:
   • Error
   • Hello
   • Hi
   • Mail Delivery System
   • Mail Transaction Failed
   • Server Report
   • Status
   • Test

Furthermore the subject line could contain random letters.


Body:
–  In some cases it may contain random characters.

 
The body of the email is one of the lines:
   • test
   • Mail transaction failed. Partial message is available.
   • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
   • The message contains Unicode characters and has been sent as a binary attachment.


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • body
   • data
   • doc
   • document
   • file
   • message
   • readme
   • test
   • text
   • %random character string%

    Continued by one of the following fake extensions:
   • zip
   • bat
   • cmd
   • exe
   • pif
   • scr

The attachment is a copy of the malware itself.

The attachment is an archive containing a copy of the malware itself.



The email may look like one of the following:




 Mailing Search addresses:
It searches the following files for email addresses:
   • wab; adb; tbb; dbx; php; sht; htm; txt; tmp; pl; asp


Address generation for TO and FROM fields:
To generate addresses it uses the following strings:
   • adam; alex; andrew; anna; bill; bob; brenda; brent; brian; claudia;
      dan; dave; david; debby; fred; george; helen; jack; james; jane;
      jerry; jim; jimmy; joe; john; jose; julie; kevin; leo; linda; maria;
      mary; matt; michael; mike; peter; ray; robert; sam; sandra; serg;
      smith; stan; steve; ted; tom; %random character string%

It combines the result with domains that were found in files, which were previously searched for addresses.


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • -._!; -._!@; .edu; .gov; .mil; abuse; accoun; acketst; admin; anyone;
      arin.; avp; berkeley; borlan; bsd; bugs; certific; contact; example;
      feste; fido; foo.; fsf.; gnu; gold-certs; google; gov.; help; hotmail;
      iana; ibm.com; icrosof; icrosoft; ietf; info; inpris; isc.o; isi.e;
      kernel; linux; listserv; math; mit.e; mozilla; msn; mydomai; nobody;
      nodomai; noone; not; nothing; ntivi; page; panda; pgp; postmaster;
      privacy; rating; rfc-ed; ripe.; root; ruslis; samples; secur;
      sendmail; service; site; soft; somebody; someone; sopho; submit;
      support; syma; tanford.e; the.bat; unix; usenet; utgers.ed; webmaster;
      you; your


Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • gate
   • ns
   • relay
   • mail1
   • mxs
   • mx1
   • smtp
   • mail
   • mx

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Daniel Constantin on Wednesday, August 9, 2006
Description updated by Daniel Constantin on Wednesday, August 9, 2006

Back . . . .