Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Worm:W32/Mytob.A


Aliases:


Worm:W32/Mytob.A

Malware
WormNet-Worm
W32

Summary

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Worm:W32/Mytob.A is a worm that has functionality similar to the MyDoom worm family functionality. This worm includes code to spread over a network by exploiting the known LSASS vulnerability.

In addition to propagating, Mytob.A is also able to function as an IRC bot.

The worm is a PE executable file 42512 bytes long, packed with FSG file compressor.


Installation

When run, the worm copies under %SYSTEM% directory using the name 'msnmsgr.exe' and creates a mutex named 'D66'.

It will then alters the registry entries to ensure that it gets started when a user logs on or the system is restarted:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
  • [HKCU\SYSTEM\CurrentControlSet\Control\Lsa] "MSN" = "msnmsgr.exe"

Payload

The worm tries to connect to an IRC channel at a predefined address using TCP port 6667. An attacker who knows channel password can instruct the created bot to execute the following actions:

  • Request worm uptime
  • Request worm version
  • Shutdown worm
  • Download and execute files
  • Delete files
  • Update worm

Propagation (E-mail)

The worm spreads by sending its infected attachment to e-mail addresses found on an infected computer. E-mail addresses are harvested from Windows Address Book (WAB) and from files with the following extensions:

  • htm
  • sht
  • php
  • asp
  • dbx
  • tbb
  • adb
  • wab
  • pl

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

  • accoun
  • acketst
  • admin
  • anyone
  • arin.
  • be_loyal
  • berkeley
  • borlan
  • bugs
  • certific
  • contact
  • .edu
  • example
  • feste
  • fido
  • foo.
  • fsf.
  • gold-certs
  • google
  • .gov
  • gov.
  • help
  • hotmail
  • iana
  • ibm.com
  • icrosof
  • icrosoft
  • ietf
  • info
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • listserv
  • math
  • .mil
  • mit.e
  • mozilla
  • msn.
  • mydomai
  • nobody
  • nodomai
  • noone
  • nothing
  • ntivi
  • page
  • panda
  • postmaster
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • root
  • ruslis
  • samples
  • secur
  • sendmail
  • service
  • site
  • soft
  • somebody
  • someone
  • sopho
  • submit
  • support
  • syma
  • tanford.e
  • the.bat
  • unix
  • usenet
  • utgers.ed
  • webmaster
  • your

The e-mail message is composed from randomly chosen subject line, body text and additional parts. The worm has a selection of attachment names that it uses for its attachment. The subject of infected e-mails is selected from the following variants:

  • Error
  • Status
  • Server Report
  • Mail Transaction Failed
  • Mail Delivery System
  • hello
  • hi

The attachment name is composed using the following predefined keywords:

  • body
  • message
  • test
  • data
  • file
  • text
  • doc

The extension for the filename can be one of the following:

  • bat
  • cmd
  • exe
  • scr
  • pif

For example:

  • body.scr

Propagation (Exploit)

The worm spreads to remote computers using LSASS vulnerability. It contacts remote computers on TCP port 445, exploits the vulnerability and copies its file to a remote system.


Variants

Mytob.B is a minor variant of Mytob.A that includes functionality from the MyDoom family of e-mail worms and IRC-bots.







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.