Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Net-Worm.Win32.Mytob.n, W32.Mytob.R@mm
Type:Worm 
Size:58,653 Bytes 
Origin: 
Date:03-28-2005 
Damage: 
VDF Version:6.30.00.51 
Danger:Low 
Distribution:Low 

General DescriptionAffected Platforms:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

DistributionWorm/Mytob.Q uses its own smtp engine to send emails. The email is built
as listed bellow:


FROM:

One of the following names:

adam
alex
andrew
anna
bill
bob
brenda
brent
brian
britney
bush
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
lolita
madmax
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

followed by one of these domains:

@aol.com
@cia.gov
@fbi.gov
@hotmail.com
@juno.com
@msn.com
@yahoo.com

Subject:

One the following:

Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
%variable%


BODY:

One the following:

Here are your banks documents.

The original message was included as an attachments.

The message cannot be represented in 7-bit ASCII encoding and has been sent
as a binary attachment.

The message contains Unicode characters and has been sent as a binary
attachment.

Mail transaction failed. Partial message is available.


ATTACHMENT:

Filename is one the following:

document
readme
doc
text
file
data
test
message
body

with one the following extension:

.bat
.cmd
.exe
.pif
.scr
.zip

Worm/Mytob.Q may also spread using the "Microsoft Windows local Security
Authority service remote Buffer OVERFLOW" (Microsoft Security bulletin
Ms04-011), by scanning the local network and/or the Internet for vulnerable
computers.

Worm/Mytob.Q looks also for network shares and tries to access them using
the following passwords:


(none)

!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
%
0
00
000
0000
00000
000000
00000000
007
0wn3d
0wned
1
110
111
111
111111
11111111
11111111
12
121
121212
123
123123
123321
1234
12345
123456
1234567
12345678
123456789
12346
123467
1234678
12346789
123467890
1234qwer
123abc
123asd
123qwe
2002
2003
2600
54321
54321
54321
654321
654321
aaa
abc
abc123
abcd
ACCESS
access
account
accounts
adm
admin
ADMIN
Admin
admin123
Administrador
Administrateur
administrator
ADMINISTRATOR
Administrator
guest
GUEST
Guest
pass
pass123
pass1234
passphra
passwd
password
PASSWORD
Password
password1
password123
unknown
Unknown
user
USER
User
user1
usermane
username
userpassword
win
win2000
win2k
win98
windose
indows
windows2k
windows95
windows98
windowsME
WindowsXP
windowz
windoze
windoze2k
windoze95
windoze98
windozeME
windozexp
wine
wing
winnt
winpass
winston
winxp
wired
xp
xx
xxx
xxxx
xxxxx
xxxxxx
xxxxxxx
xxxxxxxx
xxxxxxxxx
121
007
test
none
changeme
default
system
server
null
qwerty
mail
outlook
web
www
internet
accounts
accounting
home
homeuser
user
user1
oem
oemuser
qaz
asd
qwe
mike
john
peter
luke
ron
sam
barbara
mary
sue
susan
joan
joe
peter
fred
frank
brian
spencer
lee
neil
ian
george
bruce
kate
katie
login
loginpass
owa
sage
technical
backup
exchange
exchnge
fuck
sex
god
hell
fish
heaven
orange
domain
domainpass
domainpassword
database
access
dbpass
dbpassword
databasepass
data
databasepassword
db1
db1234
sql
sqlpass
sa
cisco
dell
compaq
siemens
yellow
pink
xp
control
mass
office
blank
winpass
capitol
userpassword
main
hq
headoffice
ctx
nokia
lan
internet
intranet
bill
fred
freddy
glen
turnip
afro
user1
student
student1
teacher
staff
oeminstall
root
Root
ROOT
CISCO
Cisco

If it succeds, the worm tries to copy in the following network shares:

Admin$\system32\taskgmr.exe
Admin$\taskgmr.exe
ipc$\system32\taskgmr.exe
ipc$\taskgmr.exe
print$\system32\taskgmr.exe
print$\taskgmr.exe
c$\winnt\system32\taskgmr.exe
c$\taskgmr.exe
d$\taskgmr.exe
lwc$\taskgmr.exe
NETLOGON\taskgmr.exe
SYSVOL\taskgmr.exe
profiles$\taskgmr.exe
e$\taskgmr.exe

Technical DetailsIf Worm/Mytob.Q is run, it copies itself into the Windows system directory
with the following file names:

\%SystemDIR%\taskgmr.exe
\%SystemDIR%\funny pic.scr
\%SystemDIR%\photo album.scr
\%SystemDIR%\eminem vs 2pac.scr

and creates the following file:

\%Root%\hellmsn.exe

and adds the following entries into the Windows Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
"WINTASK"="taskgmr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\RunServices
"WINTASK"="taskgmr.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\W indows\CurrentVersion\Run
"WINTASK"="taskgmr.exe"

HKEY_CURRENT_USER\SYSTEM\CurrentContro lSet\Control\Lsa
"WINTASK"="taskgmr.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr olSet\Control\Lsa
"WINTASK"="taskgmr.exe"

HKEY_CURRENT_USER\Software\Microsoft\O LE
"WINTASK"="taskgmr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ OLE
"WINTASK"="taskgmr.exe"

Worm/Mytob.Q gathers email addresses from the Windows address book and from
files with the following file extensions:

.adb*
.asp*
.dbx*
.htm*
.php*
.pl
.sht*
.tbb*
.wab*

that reside in the following directories:

\%WinDIR%\Temporary Internet Files\*
\Dokumente und Einstellungen\%Profile%\Lokale Einstellungen\Temporary
Internet Files\*
\%SystemDIR%\

It does not send itself to email addresses that contain one of the following
strings:

.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
you
your

Worm/Mytob.Q connects to an IRC channel on the server d66.myleftnut.info
and waits for instructions. This way the worm may be updated and may even
restart the computer.

The following web sites are blocked by the worm and rerouted to the host
machine so that they cannot be accessed anymore. For this the worm changes
Windows' HOST file to:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .