Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Net-Worm.Win32.Mytob.h, W32.Mytob.0@mm
Type:Worm 
Size:~ 55 KBytes (variable) 
Origin: 
Date:03-25-2005 
Damage: 
VDF Version:6.30.00.46 
Danger:Low 
Distribution:Medium 

General DescriptionAffected Platforms:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

DistributionWorm/Mytob.I uses its own smtp engine to send emails. The email is built
as listed bellow:


FROM:

One of the following names:

adam
alex
andrew
anna
bill
bob
brenda
brent
brian
britney
bush
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
lolita
madmax
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

followed by one of these domains:

@aol.com
@cia.gov
@fbi.gov
@hotmail.com
@juno.com
@msn.com
@yahoo.com


Subject:

One the following:

Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
%variable%
[No Subject]


BODY:

One the following:

Here are your banks documents.

The original message was included as an attachments.

The message cannot be represented in 7-bit ASCII encoding and has been sent
as a binary attachment.

The message contains Unicode characters and has been sent as a binary
attachment.

Mail transaction failed. Partial message is available.

[Random data]

ATTACHMENT:

Filename is one the following:

document
readme
doc
text
file
data
test
message
body
[random letters]

with one the following extension:

.bat
.cmd
.exe
.pif
.scr
.zip

Worm/Mytob.I may also spread using the "Microsoft Windows local Security
Authority service remote Buffer OVERFLOW" (Microsoft Security bulletin
Ms04-011), by scanning the local network and/or the Internet for vulnerable
computers.

Technical DetailsIf Worm/Mytob.I is run, it copies itself into the Windows system directory
with the following file names:


\%SystemDIR%\taskgmr.exe
\%SystemDIR%\funny_pic.scr
\%SystemDIR%\see_this!!.scr
\%SystemDIR%\my_photo2005.scr

and creates the following file:

\%Root%\hellmsn.exe

and adds the following entries into the Windows Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WINTASK"="taskgmr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"WINTASK"="taskgmr.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WINTASK"="taskgmr.exe"

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
"WINTASK"="taskgmr.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
"WINTASK"="taskgmr.exe"

HKEY_CURRENT_USER\Software\Microsoft\OLE
"WINTASK"="taskgmr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
"WINTASK"="taskgmr.exe"

Worm/Mytob.I gathers email addresses from the Windows address book and from
files with the following file extensions:

.adb*
.asp*
.dbx*
.htm*
.php*
.pl
.sht*
.tbb*
.wab*

that reside in the following directories:

\%WinDIR%\Temporary Internet Files\*
\Documents and Settings\%Profile%\Local Settings\Temporary
Internet Files\*
\%SystemDIR%\

It does not send itself to email addresses that contain one of the following
strings:

.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
you
your

Worm/Mytob.I connects to an IRC channel on the server d66.myleftnut.info
and waits for instructions. This way the worm may be updated and may even
restart the computer.

The following web sites are blocked by the worm and rerouted to the host
machine so that they cannot be accessed anymore. For this the worm changes
Windows' HOST file to:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .