Virus:Worm/Mytob.IL
Date discovered:11/07/2005
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:32.804 Bytes
MD5 checksum:0caef9bac137c033af9c5dfa37cbf2ad
IVDF version:6.31.00.180 - Monday, July 11, 2005

 General Methods of propagation:
   • Email
   • Local network


Aliases:
   •  Mcafee: W32/Mytob.gen
   •  Sophos: W32/Mytob-DI
   •  Panda: W32/Spamta.gen.worm
   •  Eset: Win32/Mydoom.BI
   •  Bitdefender: Win32.Worm.Mytob.BT


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\M0USE.exe



It overwrites a file.
%SYSDIR%\drivers\etc\hosts

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Userinterface Report3r"="M0USE.exe"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Shell"="Explorer.exe M0USE.exe"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   New value:
   • "Start"=dword:0x00000004

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
The sender address is the user's Outlook account.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • *DETECTED* Online User Violation
   • Important Notification
   • Members Support
   • Notice of account limitation
   • Security measures
   • Warning Message: Your services near to be closed.
   • You have successfully updated your password
   • YOUR ACCOUNT IS SUSPENDED
   • Your Account is Suspended For Security Reasons
   • Your new account password is approved
   • Your password has been successfully updated
   • Your password has been updated



Body:
–  The body is empty.


Attachment:
The filename of the attachment is one of the following:
   • account-details.zip
   • account-info.zip
   • account-password.zip
   • account-report.zip
   • document.zip
   • email-details.zip
   • email-password.zip
   • important-details.zip
   • iphp.zip
   • irscd.zip
   • new-password.zip
   • password.zip
   • rfb.zip
   • ums.zip
   • updated-password.zip
   • yzmeisu.zip

–  It starts with one of the following:
The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • wab; html; adb; tbb; dbx; php; xml; cgi; jsp; sht; htm


Address generation for TO field:
To generate addresses it uses the following strings:
   • sandra; adam; frank; linda; julie; jimmy; jerry; helen; debby;
      claudia; brenda; anna; sales; brent; paul; ted; fred; jack; bill;
      stan; smith; steve; matt; dave; dan; joe; jane; bob; robert; peter;
      tom; ray; mary; serg; brian; jim; maria; leo; jose; andrew; sam;
      george; david; kevin; mike; james; michael; alex; josh; john

It combines this with domains from the following list or from addresses found in files on the system
To generate addresses it uses the following strings:
   • accoun; certific; listserv; ntivi; support; icrosoft; admin; page;
      the.bat; gold-certs; ca; feste; submit; not; help; service; privacy;
      somebody; no; soft; contact; site; rating; bugs; me; you; your;
      someone; anyone; nothing; nobody; noone; webmaster; postmaster;
      samples; info; root



Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • gate
   • ns
   • relay
   • mail1
   • mxs
   • mx1
   • smtp
   • mail
   • mx

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: name.turkinti**********.com
Port: 7745
Channel: #news
Nickname: ]XP[%number%
Password: comeon


– Furthermore it has the ability to perform actions such as:
    • Download file
    • Kill process
    • Updates itself

 Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains is effectively blocked:
   • 127.0.0.1 www.symantec.com; 127.0.0.1 securityresponse.symantec.com;
      127.0.0.1 symantec.com; 127.0.0.1 www.sophos.com;
      127.0.0.1 sophos.com; 127.0.0.1 www.mcafee.com; 127.0.0.1 mcafee.com;
      127.0.0.1 liveupdate.symantecliveupdate.com;
      127.0.0.1 www.viruslist.com; 127.0.0.1 viruslist.com;
      127.0.0.1 viruslist.com; 127.0.0.1 f-secure.com;
      127.0.0.1 www.f-secure.com; 127.0.0.1 kaspersky.com;
      127.0.0.1 kaspersky-labs.com; 127.0.0.1 www.avp.com;
      127.0.0.1 www.kaspersky.com; 127.0.0.1 avp.com;
      127.0.0.1 www.networkassociates.com; 127.0.0.1 networkassociates.com;
      127.0.0.1 www.ca.com; 127.0.0.1 ca.com; 127.0.0.1 mast.mcafee.com;
      127.0.0.1 my-etrust.com; 127.0.0.1 www.my-etrust.com;
      127.0.0.1 download.mcafee.com; 127.0.0.1 dispatch.mcafee.com;
      127.0.0.1 secure.nai.com; 127.0.0.1 nai.com; 127.0.0.1 www.nai.com;
      127.0.0.1 update.symantec.com; 127.0.0.1 updates.symantec.com;
      127.0.0.1 us.mcafee.com; 127.0.0.1 liveupdate.symantec.com;
      127.0.0.1 customer.symantec.com; 127.0.0.1 rads.mcafee.com;
      127.0.0.1 trendmicro.com; 127.0.0.1 pandasoftware.com;
      127.0.0.1 www.pandasoftware.com; 127.0.0.1 www.trendmicro.com;
      127.0.0.1 www.grisoft.com; 127.0.0.1 www.microsoft.com;
      127.0.0.1 microsoft.com; 127.0.0.1 www.virustotal.com;
      127.0.0.1 virustotal.com; 127.0.0.1 www.amazon.com;
      127.0.0.1 www.amazon.co.uk; 127.0.0.1 www.amazon.ca;
      127.0.0.1 www.amazon.fr; 127.0.0.1 www.paypal.com;
      127.0.0.1 paypal.com; 127.0.0.1 moneybookers.com;
      127.0.0.1 www.moneybookers.com; 127.0.0.1 www.ebay.com;
      127.0.0.1 ebay.com


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, November 23, 2009
Description updated by Petre Galan on Tuesday, November 24, 2009

Back . . . .