In the wild:
Medium to high
Methods of propagation:
• Local network
• Kaspersky: Net-Worm.Win32.Mytob.x
• TrendMicro: WORM_MYTOB.BR
• Sophos: W32/Mytob-BZ
• Grisoft: I-Worm/Mytob.EV
• VirusBuster: iworm I-Worm.Mytob.CQ
• Eset: Win32/Mytob.BG
• Bitdefender: Win32.Worm.Mytob.X
Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
• Blocks access to security websites
• Drops a malicious file
• Uses its own Email engine
• Registry modification
• Makes use of software vulnerability
• Steals information
• Third party control
It copies itself to the following locations:
The following file is created:
– C:\hellmsn.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as:
The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.
The following registry keys are added:
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
The sender address is spoofed.
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Generated addresses
One of the following:
• GOOD DAY
• MAIL DELIVERY SYSTEM
• Mail Transaction Failed
• Server Report
In some cases the subject might also be empty.
Furthermore the subject line could contain random letters.
– In some cases it may contain random characters.
The body of the email is one of the lines:
• Mail transaction failed. Partial message is available.
• The message contains Unicode characters and has been sent as a binary attachment.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The original message was included as an attachment.
• Here are your banks documents.
The filenames of the attachments is constructed out of the following:
– It starts with one of the following:
• data file
%random character string%
The file extension is one of the following:
The attachment is a copy of the malware itself.
The email looks like the following:
It searches the following files for email addresses:
Address generation for TO and FROM fields:
To generate addresses it uses the following strings:
• adam; alex; andrew; anna; bill; bob; brenda; brent; brian; britney;
bush; claudia; dan; dave; david; debby; fred; george; helen; jack;
james; jane; jerry; jim; jimmy; joe; john; jose; julie; kevin; leo;
linda; lolita; madmax; maria; mary; matt; michael; mike; peter; ray;
robert; sam; sandra; serg; smith; stan; steve; ted; tom
It combines this with domains from the following list or from addresses found in files on the system
The domain is one of the following:
It does not send emails to addresses containing one of the following strings:
• -._!; -._!@; .edu; .gov; .mil; abuse; accoun; acketst; admin; anyone;
arin.; avp; be_loyal:; berkeley; borlan; bsd; bugs; certific; contact;
example; feste; fido; foo.; fsf.; gnu; gold-certs; google; gov.; help;
iana; ibm.com; icrosof; icrosoft; ietf; info; inpris; isc.o; isi.e;
kernel; linux; listserv; math; mit.e; mozilla; mydomai; nobody;
nodomai; noone; not; nothing; ntivi; page; panda; pgp; postmaster;
privacy; rating; rfc-ed; ripe.; root; ruslis; samples; secur;
sendmail; service; site; soft; somebody; someone; sopho; submit;
support; syma; tanford.e; the.bat; unix; usenet; utgers.ed; webmaster;
www; you; your
Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It makes use of the following Exploit:
IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.
Creates an FTP script on the compromised machine in order to download the malware to the remote location.
The downloaded file is stored on the compromised machine as:
To deliver system information and to provide remote control it connects to the following IRC Server:
%random character string%
– This malware has the ability to collect and send information such as:
• Malware uptime
• Information about the network
– Furthermore it has the ability to perform actions such as:
• disconnect from IRC server
• Download file
• Execute file
• Updates itself
The host file is modified as explained:
– In this case already existing entries remain unmodified.
– Access to the following domains is effectively blocked:
• www.symantec.com; securityresponse.symantec.com; symantec.com;
www.sophos.com; sophos.com; www.mcafee.com; mcafee.com;
liveupdate.symantecliveupdate.com; www.viruslist.com; viruslist.com;
viruslist.com; f-secure.com; www.f-secure.com; kaspersky.com;
www.avp.com; www.kaspersky.com; avp.com; www.networkassociates.com;
networkassociates.com; www.ca.com; ca.com; mast.mcafee.com;
my-etrust.com; www.my-etrust.com; download.mcafee.com;
dispatch.mcafee.com; secure.nai.com; nai.com; www.nai.com;
update.symantec.com; updates.symantec.com; us.mcafee.com;
liveupdate.symantec.com; customer.symantec.com; rads.mcafee.com;
trendmicro.com; www.microsoft.com; www.trendmicro.com
The following port is opened:
– taskgmr.exe on TCP port 10087 in order to provide an FTP server.
It creates the following Mutex:
The malware program was written in MS Visual C++.
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
說明撰寫者 Iulia Diaconescu 開啟 2006年10月12日星期四
說明更新者 Iulia Diaconescu 開啟 2006年11月6日星期一
© 2014 Avira Operations GmbH & Co. KG. 保留所有權利.