Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Mytob.KH
Date discovered:09/10/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:37.888 Bytes
MD5 checksum:641f2da941507529f31d86c2a2ba0A06
VDF version:6.32.00.69

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Mytob.gen@MM
   •  Kaspersky: Email-Worm.Win32.Fanbot.f
   •  F-Secure: W32/Mytob.MT@mm
   •  Grisoft: I-Worm/Mytob.MC
   •  VirusBuster: Email-Worm.Win32.Fanbot.f
   •  Bitdefender: Win32.Fanbot.F@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Disable security applications
   • Drops a file
   • Uses its own Email engine
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control


Right after execution the following information is displayed:

The picture has been edited for display purpose.

 Files It copies itself to the following locations:
   • %SYSDIR%\Phantom.exe
   • %WINDIR%\Phantom.exe
   • %TEMPDIR%\tmp%hex values%.tmp



It deletes the initially executed copy of itself.



It deletes the following files:
   • %TEMPDIR%\tmp%hex values%.tmp
   • %TEMPDIR%\Setup\CXMO%number%.exe
   • C:\x140yu.exe
   • C:\xiaoyu.exe



The following file is created:

– C:\Shell.sys This is a non malicious text file with the following content:
   • fuck!!!
     The Active Windows Title: %processes that have visible windows%

 Registry The following registry key is changed:

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • Shell="Explorer.exe Phantom.exe"
     userinit="userinit.exe,Phantom.exe" (Hidden)

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender of the email is one of the following:
   • webmaster
   • register
   • info
   • admin
   • service
   • mail
   • administrator
   • support


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Generated addresses


Subject:
One of the following:
   • *DETECTED* Online User Violation
   • EMAIL ACCOUNT SUSPENSION
   • Important Notification
   • Members Support
   • Notice of account limitation
   • Security measures
   • Warning Message: Your services near to be closed.
   • You have successfully updated your password
   • Your Account is Suspended
   • Your Account is Suspended For Security Reasons
   • YOUR NEW ACCOUNT PASSWORD IS APPROVED
   • Your password has been successfully updated
   • Your password has been updated

In some cases the subject might also be empty.
Furthermore the subject line could contain random letters.


Body:
–  It is constructed using a regular expression.
–  In some cases it may be empty.
–  In some cases it may contain random characters.

 
The body of the email is one of the following:

   • Dear user %email account's user name%,
     It has come to our attention that your receiver's %sender's domain% User Profile ( x ) records are out of date. For further details see the attached document.
     Thank you for using %sender's domain%!
     The %sender's domain% Support Team
     
     +++ Attachment: No Virus (Clean)
     +++ %sender's domain% Antivirus - www.%sender's domain%

   • Dear %sender's domain% Member,
     We have temporarily suspended your email account %receiver's email address%.
     This might be due to either of the following reasons:
     1. A recent change in your personal information (i.e. change of address).
     2. Submiting invalid information during the initial sign up process.
     3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
     See the details to reactivate your %sender's domain% account.
     Sincerely,The %sender's domain% Support Team
     
     +++ Attachment: No Virus (Clean)
     +++ %sender's domain% Antivirus - www.%sender's domain%

   • Dear %sender's domain% Member,
     Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online %sender's domain%.
     If you choose to ignore our request, you leave us no choice but to cancel your membership.
     Virtually yours,
     The %sender's domain% Support Team
     
     +++ Attachment: No Virus (Clean)
     +++ %sender's domain% Antivirus - www.%sender's domain%

   • Dear user %email account's user name%,
     You have successfully updated the password of your %sender's domain%account.
     If you did not authorize this change or if you need assistance with your account, please contact %sender's domain% customer service at: %sender's email address%
     Thank you for using %sender's domain%!
     The %sender's domain% Support Team
     
     +++ Attachment: No Virus (Clean)
     +++ %sender's domain% Antivirus - www.%sender's domain%


Attachment:
The filename of the attachment is one of the following:
   • accepted-password
   • account-details
   • account-info
   • account-password
   • account-report
   • approved-password
   • document
   • email-details
   • email-password
   • important-details
   • new-password
   • password
   • readme
   • updated-password
   • %random character string%

    The file extension is one of the following:
   • bat
   • cmd
   • exe
   • scr
   • pif
   • zip

The attachment is a copy of the malware itself.



The email may look like one of the following:



 Mailing Search addresses:
It searches the following files for email addresses:
   • wab; adb; tbb; dbx; php; sht; htm; html; xml; cgi; jsp; tmp


Address generation for TO field:
To generate addresses it uses the following strings:
   • kula; sandra; adam; frank; linda; julie; jimmy; jerry; helen; debby;
      claudia; brenda; anna; sales; brent; paul; ted; fred; jack; bill;
      stan; smith; steve; matt; dave; dan; joe; jane; bob; robert; peter;
      tom; ray; mary; serg; brian; jim; maria; leo; jose; andrew; sam;
      george; david; kevin; mike; james; michael; alex; josh; john

It combines the result with domains that were found in files, which were previously searched for addresses.


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • .edu; abuse; www; fcnz; spm; master; accoun; certific; listserv;
      ntivi; icrosoft; admin; page; the.bat; gold-certs; feste; submit; not;
      help; service; privacy; somebody; soft; contact; site; rating; bugs;
      you; your; someone; anyone; nothing; nobody; noone; webmaster;
      postmaster; samples; info; root; slashdot; sourceforge; mozilla;
      utgers.ed; tanford.e; pgp; acketst; secur; isc.o; isi.e; ripe.; arin.;
      sendmail; rfc-ed; ietf; iana; usenet; fido; linux; kernel; google;
      ibm.com; fsf.; gnu; mit.e; bsd; math; unix; berkeley; foo.; .mil;
      gov.; .gov; support; messagelabs; ruslis; nodomai; mydomai; example;
      inpris; borlan; sopho; panda; hotmail; msn.; icrosof; syma; avp


Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • gate.
   • ns.
   • relay.
   • mail1.
   • mxs.
   • mx1.
   • smtp.
   • mail.
   • mx.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: SmallPhantom.3322.**********
Channel: #xiaoyu

Server: SmallPhantom.meibu.**********
Channel: #xiaoyu



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Platform ID
    • Information about running processes
    • Size of memory
    • Username
    • Users' local activity
    • Windows directory
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • disconnect from IRC server
    • Download file
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan
    • Restart system
    • Send emails
    • Shut down system
    • Start keylog
    • Start spreading routine
    • Terminate malware
    • Terminate process
    • Updates itself
    • Upload file
    • Visit a website

 Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains is effectively blocked:
   • jiangmin.com; www.jiangmin.com; Update2.JiangMin.com;
      Update3.JiangMin.com; rising.com.cn; www.rising.com.cn;
      online.rising.com.cn; iduba.net; www.iduba.net; kingsoft.com;
      db.kingsoft.com; scan.kingsoft.com; kaspersky.com.cn;
      www.kaspersky.com.cn; symantec.com.cn; www.symantec.com.cn;
      www.symantec.com; securityresponse.symantec.com; symantec.com;
      www.sophos.com; sophos.com; www.mcafee.com; mcafee.com;
      liveupdate.symantecliveupdate.com; www.viruslist.com; viruslist.com;
      viruslist.com; f-secure.com; www.f-secure.com; kaspersky.com;
      kaspersky-labs.com; www.avp.com; www.kaspersky.com; avp.com;
      www.networkassociates.com; networkassociates.com; www.ca.com; ca.com;
      mast.mcafee.com; my-etrust.com; www.my-etrust.com;
      download.mcafee.com; dispatch.mcafee.com; secure.nai.com; nai.com;
      www.nai.com; update.symantec.com; updates.symantec.com; us.mcafee.com;
      liveupdate.symantec.com; customer.symantec.com; rads.mcafee.com;
      trendmicro.com; www.pandaguard.com; pandasoftware.com;
      www.pandasoftware.com; www.trendmicro.com; www.grisoft.com;
      www.microsoft.com; microsoft.com; www.virustotal.com; virustotal.com;
      www.amazon.com; www.amazon.co.uk; www.amazon.ca; www.amazon.fr;
      www.paypal.com; paypal.com; moneybookers.com; www.moneybookers.com;
      www.ebay.com; ebay.com




The modified host file will look like this:


 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'
– Recorded passwords used by the AutoComplete function

– A logging routine is started after keystrokes are typed that match one of the following strings:
   • [CTRL]; [DEL]; [DOWN]; [END]; [ESC]; [F1]; [F10]; [F11]; [F12]; [F2];
      [F3]; [F4]; [F5]; [F6]; [F7]; [F8]; [F9]; [HOME]; [LEFT]; [TAB]; [UP];
      [WIN]

– It captures:
    • Keystrokes
    • Window information

 Miscellaneous Mutex:
It creates the following Mutex:
   • [Phantom]

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • LCC WIN32 1.x

Description inserted by Monica Ghitun on Friday, November 23, 2007
Description updated by Andrei Gherman on Tuesday, November 27, 2007

Back . . . .