Mytob.au is a new variant of Mytob family of worms. Unlike the previous variants which used email and LSASS vulnerability in spreading, this variant only uses emails.
Disinfection & Removal
The worm is a PE executable file 33280 bytes long, packed with Yoda's crypt and Morphine.
Installation to system
When run, the worm copies under %SYSTEM% directory using the name '1hellbot.exe' and creates a named mutex 'H-e-l-l-B-o-t-3!!!'.
It then alters registry entries to ensure that it is started when a user logs on or the system is restarted:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "HELLBOT TEST" = "1hellbot.exe"
Spreading in e-mails
The worm spreads by sending its infected attachment to e-mail addresses found on an infected computer. E-mail addresses are harvested from Windows address book and from files with the following extensions:
txt htm sht jsp cgi xml php asp dbx tbb adb wab pl
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:
syma icrosof msn. hotmail panda sopho borlan inpris example mydomai nodomai ruslis .gov gov. .mil foo. berkeley unix math mit.e fsf. ibm.com google kernel linux fido usenet iana ietf rfc-ed sendmail arin. ripe. isi.e isc.o secur acketst tanford.e utgers.ed mozilla be_loyal: root info samples postmaster webmaster noone nobody nothing anyone someone your bugs rating site contact soft somebody privacy service help submit feste gold-certs the.bat page admin icrosoft support ntivi unix linux listserv certific google accoun fcnz secur abuse
The e-mail message is composed from randomly chosed subject line, body text and additional parts. The worm has a selection of attachment names that it uses for its attachment. The subject of infected e-mails is selected from the following variants:
Notice: **Last Warning** Your email account access is restricted Your Email Account is Suspended For Security Reasons Notice:***Your email account will be suspended*** Security measures Email Account Suspension *IMPORTANT* Please Validate Your Email Account *IMPORTANT* Your Account Has Been Locked
Body text is selected from the following list:
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. To unblock your email account acces, please see the attachment. Follow the instructions in the attachment. We have suspended some of your email services, to resolve the problem you should read the attached document. To safeguard your email account from possible termination , please see the attached file. please look at attached document. Account Information Are Attached!
The attachment name is composed using predefined keywords. The keywords set is:
email-info email-text email-doc information your_details INFO IMPORTANT info-text
And extension keywords set is:
bat cmd exe scr pif
The worm tries to connect to IRC channel at predefined address. The attacker who knows channel password can instruct the bot to execute the following actions:
Request worm uptime Request worm version Shutdown worm Download and execute files Delete files Update worm
Mytob.au tries to terminate processes with the following name:
regedit.exe msconfig.exe cmd.exe taskmgr.exe netstat.exe zapro.exe navw32.exe navapw32.exe zonealarm.exe wincfg32.exePandaAVEngine.exe
It will also update system hosts file in order to disable Anti-Virus companies database updates. Following hostnames are redirected to localhost IP address (127.0.0.1):
www.symantec.com securityresponse.symantec.com symantec.com www.sophos.com sophos.com www.mcafee.com mcafee.com liveupdate.symantecliveupdate.com www.viruslist.com viruslist.com viruslist.com f-secure.com www.f-secure.com kaspersky.com kaspersky-labs.com www.avp.com www.kaspersky.com avp.com www.networkassociates.com networkassociates.com www.ca.com ca.com mast.mcafee.com my-etrust.com www.my-etrust.com download.mcafee.com dispatch.mcafee.com secure.nai.com nai.com www.nai.com update.symantec.com updates.symantec.com us.mcafee.com liveupdate.symantec.com customer.symantec.com rads.mcafee.com trendmicro.com www.trendmicro.com www.grisoft.com www.microsoft.com
Detection Type: PC
Technical Details: Jarkko Turkulainen; May 10th, 2005