Worm:W32/Mytob.A

Summary

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

Disinfection & Removal

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Technical Details

Worm:W32/Mytob.A is a worm that has functionality similar to the MyDoom worm family functionality. This worm includes code to spread over a network by exploiting the known LSASS vulnerability.

In addition to propagating, Mytob.A is also able to function as an IRC bot.

The worm is a PE executable file 42512 bytes long, packed with FSG file compressor.

Installation

When run, the worm copies under %SYSTEM% directory using the name 'msnmsgr.exe' and creates a mutex named 'D66'.

It will then alters the registry entries to ensure that it gets started when a user logs on or the system is restarted:

• [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
• [HKCU\SYSTEM\CurrentControlSet\Control\Lsa] "MSN" = "msnmsgr.exe"

Payload

The worm tries to connect to an IRC channel at a predefined address using TCP port 6667. An attacker who knows channel password can instruct the created bot to execute the following actions:

• Request worm uptime
• Request worm version
• Shutdown worm
• Download and execute files
• Delete files
• Update worm

Propagation (E-mail)

The worm spreads by sending its infected attachment to e-mail addresses found on an infected computer. E-mail addresses are harvested from Windows Address Book (WAB) and from files with the following extensions:

• htm
• sht
• php
• asp
• dbx
• tbb
• adb
• wab
• pl

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

• accoun
• acketst
• admin
• anyone
• arin.
• be_loyal
• berkeley
• borlan
• bugs
• certific
• contact
• .edu
• example
• feste
• fido
• foo.
• fsf.
• gold-certs
• google
• .gov
• gov.
• help
• hotmail
• iana
• ibm.com
• icrosof
• icrosoft
• ietf
• info
• inpris
• isc.o
• isi.e
• kernel
• linux
• listserv
• math
• .mil
• mit.e
• mozilla
• msn.
• mydomai
• nobody
• nodomai
• noone
• nothing
• ntivi
• page
• panda
• postmaster
• privacy
• rating
• rfc-ed
• ripe.
• root
• ruslis
• samples
• secur
• sendmail
• service
• site
• soft
• somebody
• someone
• sopho
• submit
• support
• syma
• tanford.e
• the.bat
• unix
• usenet
• utgers.ed
• webmaster
• your

The e-mail message is composed from randomly chosen subject line, body text and additional parts. The worm has a selection of attachment names that it uses for its attachment. The subject of infected e-mails is selected from the following variants:

• Error
• Status
• Server Report
• Mail Transaction Failed
• Mail Delivery System
• hello
• hi

The attachment name is composed using the following predefined keywords:

• body
• message
• test
• data
• file
• text
• doc

The extension for the filename can be one of the following:

• bat
• cmd
• exe
• scr
• pif

For example:

• body.scr

Propagation (Exploit)

The worm spreads to remote computers using LSASS vulnerability. It contacts remote computers on TCP port 445, exploits the vulnerability and copies its file to a remote system.

Variants

Mytob.B is a minor variant of Mytob.A that includes functionality from the MyDoom family of e-mail worms and IRC-bots.