Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Mytob.au


Aliases:


Mytob.au
Net-Worm.Win32.Mytob.au

Malware
Worm
W32

Summary

Mytob.au is a new variant of Mytob family of worms. Unlike the previous variants which used email and LSASS vulnerability in spreading, this variant only uses emails.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

The worm is a PE executable file 33280 bytes long, packed with Yoda's crypt and Morphine.


Installation to system

When run, the worm copies under %SYSTEM% directory using the name '1hellbot.exe' and creates a named mutex 'H-e-l-l-B-o-t-3!!!'.

It then alters registry entries to ensure that it is started when a user logs on or the system is restarted:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
 "HELLBOT TEST" = "1hellbot.exe"
 

Spreading in e-mails

The worm spreads by sending its infected attachment to e-mail addresses found on an infected computer. E-mail addresses are harvested from Windows address book and from files with the following extensions:

txt
 htm
 sht
 jsp
 cgi
 xml
 php
 asp
 dbx
 tbb
 adb
 wab
 pl
 

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

syma
 icrosof
 msn.
 hotmail
 panda
 sopho
 borlan
 inpris
 example
 mydomai
 nodomai
 ruslis
 .gov
 gov.
 .mil
 foo.
 berkeley
 unix
 math
 mit.e
 fsf.
 ibm.com
 google
 kernel
 linux
 fido
 usenet
 iana
 ietf
 rfc-ed
 sendmail
 arin.
 ripe.
 isi.e
 isc.o
 secur
 acketst
 tanford.e
 utgers.ed
 mozilla
 be_loyal:
 root
 info
 samples
 postmaster
 webmaster
 noone
 nobody
 nothing
 anyone
 someone
 your
 bugs
 rating
 site
 contact
 soft
 somebody
 privacy
 service
 help
 submit
 feste
 gold-certs
 the.bat
 page
 admin
 icrosoft
 support
 ntivi
 unix
 linux
 listserv
 certific
 google
 accoun
 fcnz
 secur
 abuse
 

The e-mail message is composed from randomly chosed subject line, body text and additional parts. The worm has a selection of attachment names that it uses for its attachment. The subject of infected e-mails is selected from the following variants:

Notice: **Last Warning**
 Your email account access is restricted
 Your Email Account is Suspended For Security Reasons
 Notice:***Your email account will be suspended***
 Security measures
 Email Account Suspension
 *IMPORTANT* Please Validate Your Email Account
 *IMPORTANT* Your Account Has Been Locked
 

Body text is selected from the following list:

Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
To unblock your email account acces, please see the attachment.
Follow the instructions in the attachment.
We have suspended some of your email services, to resolve the problem you should read the attached document.
To safeguard your email account from possible termination , please see the attached file.
please look at attached document.
Account Information Are Attached!
			

The attachment name is composed using predefined keywords. The keywords set is:

email-info
 email-text
 email-doc
 information
 your_details
 INFO
 IMPORTANT
 info-text
 

And extension keywords set is:

bat
 cmd
 exe
 scr
 pif
 

For example:

IMPORTANT.scr
			


Bot functionality

The worm tries to connect to IRC channel at predefined address. The attacker who knows channel password can instruct the bot to execute the following actions:

Request worm uptime
 Request worm version
 Shutdown worm
 Download and execute files
 Delete files
 Update worm
 

Other details

Mytob.au tries to terminate processes with the following name:

regedit.exe
 msconfig.exe
 cmd.exe
 taskmgr.exe
 netstat.exe
 zapro.exe
 navw32.exe
 navapw32.exe
 zonealarm.exe
 wincfg32.exePandaAVEngine.exe
 

It will also update system hosts file in order to disable Anti-Virus companies database updates. Following hostnames are redirected to localhost IP address (127.0.0.1):

www.symantec.com
 securityresponse.symantec.com
 symantec.com
 www.sophos.com
 sophos.com
 www.mcafee.com
 mcafee.com
 liveupdate.symantecliveupdate.com
 www.viruslist.com
 viruslist.com
 viruslist.com
 f-secure.com
 www.f-secure.com
 kaspersky.com
 kaspersky-labs.com
 www.avp.com
 www.kaspersky.com
 avp.com
 www.networkassociates.com
 networkassociates.com
 www.ca.com
 ca.com
 mast.mcafee.com
 my-etrust.com
 www.my-etrust.com
 download.mcafee.com
 dispatch.mcafee.com
 secure.nai.com
 nai.com
 www.nai.com
 update.symantec.com
 updates.symantec.com
 us.mcafee.com
 liveupdate.symantec.com
 customer.symantec.com
 rads.mcafee.com
 trendmicro.com
 www.trendmicro.com
 www.grisoft.com
 www.microsoft.com
 


Detection



Detection Type: PC
Database: 2005-05-09_01



Technical Details: Jarkko Turkulainen; May 10th, 2005



Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Disinfect your PC




F-Secure Anti-Virus will disinfect your PC and remove all harmful files