Threat Description

Mytob.bf

Details

Aliases: Mytob.bf, Net-Worm.Win32.Mytob.bf, W32/Mytob.bf@mm
Category: Malware
Type: Worm
Platform: W32

Summary



The Mytob.bf worm-backdoor appeared in the end of May - beginning of June 2005. It sends e-mails with an infected attachment and also contains an IRC-controlled backdoor. It is a close variant of Mytob.bd worm.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



The worm is a PE executable file 62464 bytes long, packed with UPX, PEncrypt and YodaProt file compressors.

Installation to system

When run, the worm creates a mutex with the name 'Lien-Van-de-Kelder'. Then it copies itself as 'www.lienvandekelder.be.exe' file to Windows System folder and creates a starup key for this file in the Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "Lien Van de Kelder" = "www.lienvandekelder.be.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "Lien Van de Kelder" = "www.lienvandekelder.be.exe"
 

The worm also modifies the following key value:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
 "Start" = dword:00000004
 

The worm has the capability to restore its file and startup keys in the Registry if they are modified or deleted.

Spreading in e-mails

To get the victims' e-mail addresses the worm reads user's Address Book and also scans files with the following extensions on all hard disks and RAM drives:

txt
 htm
 sht
 jsp
 cgi
 xml
 php
 asp
 dbx
 tbb
 adb
 pl
 wab
 

The worm scans Internet Explorer cache folders and Windows System folder. The worm ignores e-mail addresses with any of the following substrings:

avp
 syma
 icrosof
 msn.
 hotmail
 panda
 sopho
 borlan
 inpris
 example
 mydomai
 nodomai
 ruslis
 .gov
 gov.
 .mil
 foo.
 berkeley
 unix
 math
 bsd
 mit.e
 gnu
 fsf.
 ibm.com
 google
 kernel
 linux
 fido
 usenet
 iana
 ietf
 rfc-ed
 sendmail
 arin.
 ripe.
 isi.e
 isc.o
 secur
 acketst
 pgp
 tanford.e
 utgers.ed
 mozilla
 root
 info
 samples
 postmaster
 webmaster
 noone
 nobody
 nothing
 anyone
 someone
 your
 you
 me
 bugs
 rating
 site
 contact
 soft
 no
 somebody
 privacy
 service
 help
 not
 submit
 feste
 ca
 gold-certs
 the.bat
 page
 admin
 icrosoft
 support
 ntivi
 unix
 bsd
 linux
 listserv
 certific
 google
 accoun
 spm
 spam
 

The worm sends e-mail messages with different subjects. Here's the list of subjects that the worm uses:

Notice: **Last Warning**
 *DETECTED* Online User Violation
 Your Email Account is Suspended For Security Reasons
 Account Alert
 Important Notification
 *WARNING* Your Email Account Will Be Closed
 Security measures
 Email Account Suspension
 Notice of account limitation
 

The message body can be empty, contain garbage or any of the following texts:

The original message has been included as an attachment.
Once you have completed the form in the attached file , your
 account records will not be interrupted and will continue as normal.
 We regret to inform you that your account has been suspended due
 to the violation of our site policy, more info is attached.
We attached some important information regarding your account.
Please read the attached document and follow it's instructions.
			

The worm attaches itself to an infected message. The attachment is usually a ZIP archive with one of the following names:

email-info
 email-doc
 information
 account-details
 document
 INFO
 instructions
 info-text
 information
 

The worm's file located inside a ZIP archive has one of the above names and 2 extensions. The first extension is randomly selected from the following variants:

tmp
 doc
 htm
 txt
 

The second extension is randomly selected from the following variants:

pif
 scr
 exe
 cmd
 bat
 

The worm fakes the sender's e-mail address. It is composed from the following user names:

support
 administrator
 mail
 service
 admin
 info
 register
 webmaster
 

and the recipient's e-mail account domain name.

IRC-controlled Backdoor

When the worm is active it tries to connect to the following IRC server and channel:

irc.blackcarder.net
 #Lien
 

If the connection is successful, the worm creates a bot in that channel. A hacker can send commands to a bot in order to control an infected computer. A hacker can do any of the following:

  • change IRC server
  • change channel mode
  • join specified channel
  • change bot's nick (randomly generated)
  • kick a user out of a channel
  • ping a user/server
  • set channel topic
  • exit from a channel
  • quit from IRC
  • get information about an infected system
  • download and run a file (update worm's file)
  • remove worm from a computer
  • send raw command
  • start mass-mailing
  • stop mass-mailing

Payload

When the worm is active in memory it looks for and terminates processes with the following names:

ACKWIN32.EXE
 ADAWARE.EXE
 ADVXDWIN.EXE
 AGENTSVR.EXE
 AGENTW.EXE
 ALERTSVC.EXE
 ALEVIR.EXE
 ALOGSERV.EXE
 AMON9X.EXE
 ANTI-TROJAN.EXE
 ANTIVIRUS.EXE
 ANTS.EXE
 APIMONITOR.EXE
 APLICA32.EXE
 APVXDWIN.EXE
 ARR.EXE
 ATCON.EXE
 ATGUARD.EXE
 ATRO55EN.EXE
 ATUPDATER.EXE
 ATUPDATER.EXE
 ATWATCH.EXE
 AU.EXE
 AUPDATE.EXE
 AUPDATE.EXE
 AUTODOWN.EXE
 AUTODOWN.EXE
 AUTOTRACE.EXE
 AUTOTRACE.EXE
 AUTOUPDATE.EXE
 AUTOUPDATE.EXE
 AVCONSOL.EXE
 AVE32.EXE
 AVGCC32.EXE
 AVGCTRL.EXE
 AVGNT.EXE
 AVGSERV.EXE
 AVGSERV9.EXE
 AVGUARD.EXE
 AVGW.EXE
 AVKPOP.EXE
 AVKSERV.EXE
 AVKSERVICE.EXE
 AVKWCTl9.EXE
 AVLTMAIN.EXE
 AVNT.EXE
 AVP.EXE
 AVP32.EXE
 AVPCC.EXE
 AVPDOS32.EXE
 AVPM.EXE
 AVPTC32.EXE
 AVPUPD.EXE
 AVPUPD.EXE
 AVSCHED32.EXE
 AVSYNMGR.EXE
 AVWINNT.EXE
 AVWUPD.EXE
 AVWUPD32.EXE
 AVWUPD32.EXE
 AVWUPSRV.EXE
 AVXMONITOR9X.EXE
 AVXMONITORNT.EXE
 AVXQUAR.EXE
 AVXQUAR.EXE
 BACKWEB.EXE
 BARGAINS.EXE
 BD_PROFESSIONAL.EXE
 BEAGLE.EXE
 BELT.EXE
 BIDEF.EXE
 BIDSERVER.EXE
 BIPCP.EXE
 BIPCPEVALSETUP.EXE
 BISP.EXE
 BLACKD.EXE
 BLACKICE.EXE
 BLSS.EXE
 BOOTCONF.EXE
 BOOTWARN.EXE
 BORG2.EXE
 BPC.EXE
 BRASIL.EXE
 BS120.EXE
 BUNDLE.EXE
 BVT.EXE
 CCAPP.EXE
 CCEVTMGR.EXE
 CCPXYSVC.EXE
 CDP.EXE
 CFD.EXE
 CFGWIZ.EXE
 CFIADMIN.EXE
 CFIAUDIT.EXE
 CFIAUDIT.EXE
 CFINET.EXE
 CFINET32.EXE
 CLEAN.EXE
 CLEANER.EXE
 CLEANER3.EXE
 CLEANPC.EXE
 CLICK.EXE
 CMD32.EXE
 CMESYS.EXE
 CMGRDIAN.EXE
 CMON016.EXE
 CONNECTIONMONITOR.EXE
 CPD.EXE
 CPF9X206.EXE
 CPFNT206.EXE
 CTRL.EXE
 CV.EXE
 CWNB181.EXE
 CWNTDWMO.EXE
 CLAW95CF.EXE
 DATEMANAGER.EXE
 DCOMX.EXE
 DEFALERT.EXE
 DEFSCANGUI.EXE
 DEFWATCH.EXE
 DEPUTY.EXE
 DIVX.EXE
 DLLCACHE.EXE
 DLLREG.EXE
 DOORS.EXE
 DPF.EXE
 DPFSETUP.EXE
 DPPS2.EXE
 DRWATSON.EXE
 DRWEB32.EXE
 DRWEBUPW.EXE
 DSSAGENT.EXE
 DVP95.EXE
 DVP95_0.EXE
 ECENGINE.EXE
 EFPEADM.EXE
 EMSW.EXE
 ENT.EXE
 ESAFE.EXE
 ESCANHNT.EXE
 ESCANV95.EXE
 ESPWATCH.EXE
 ETHEREAL.EXE
 ETRUSTCIPE.EXE
 EVPN.EXE
 EXANTIVIRUS-CNET.EXE
 EXE.AVXW.EXE
 EXPERT.EXE
 EXPLORE.EXE
 F-PROT.EXE
 F-PROT95.EXE
 F-STOPW.EXE
 FAMEH32.EXE
 FAST.EXE
 FCH32.EXE
 FIH32.EXE
 FINDVIRU.EXE
 FIREWALL.EXE
 FNRB32.EXE
 FP-WIN.EXE
 FP-WIN_TRIAL.EXE
 FPROT.EXE
 FRW.EXE
 FSAA.EXE
 FSAV.EXE
 FSAV32.EXE
 FSAV530STBYB.EXE
 FSAV530WTBYB.EXE
 FSAV95.EXE
 FSGK32.EXE
 FSM32.EXE
 FSMA32.EXE
 FSMB32.EXE
 GATOR.EXE
 GBMENU.EXE
 GBPOLL.EXE
 GENERICS.EXE
 GMT.EXE
 GUARD.EXE
 GUARDDOG.EXE
 HACKTRACERSETUP.EXE
 HBINST.EXE
 HBSRV.EXE
 HOTACTIO.EXE
 HOTPATCH.EXE
 HTLOG.EXE
 HTPATCH.EXE
 HWPE.EXE
 HXDL.EXE
 HXIUL.EXE
 IAMAPP.EXE
 IAMSERV.EXE
 IAMSTATS.EXE
 IBMASN.EXE
 IBMAVSP.EXE
 ICLOADNT.EXE
 ICMON.EXE
 ICSUPP95.EXE
 ICSUPPNT.EXE
 IDLE.EXE
 IEDLL.EXE
 IEDRIVER.EXE
 IEXPLORER.EXE
 IFACE.EXE
 IFW2000.EXE
 INETLNFO.EXE
 INFUS.EXE
 INFWIN.EXE
 INIT.EXE
 INTDEL.EXE
 INTREN.EXE
 IOMON98.EXE
 ISTSVC.EXE
 JAMMER.EXE
 JDBGMRG.EXE
 JEDI.EXE
 KAVLITE40ENG.EXE
 KAVPERS40ENG.EXE
 KAVPF.EXE
 KAZZA.EXE
 KEENVALUE.EXE
 KERIO-PF-213-EN-WIN.EXE
 KERIO-WRL-421-EN-WIN.EXE
 KERIO-WRP-421-EN-WIN.EXE
 KERNEL32.EXE
 KILLPROCESSSETUP161.EXE
 LAUNCHER.EXE
 LDNETMON.EXE
 LDPRO.EXE
 LDPROMENU.EXE
 LDSCAN.EXE
 LNETINFO.EXE
 LOADER.EXE
 LOCALNET.EXE
 LOCKDOWN.EXE
 LOCKDOWN2000.EXE
 LOOKOUT.EXE
 LORDPE.EXE
 LSETUP.EXE
 LUALL.EXE
 LUALL.EXE
 LUAU.EXE
 LUCOMSERVER.EXE
 LUINIT.EXE
 LUSPT.EXE
 MAPISVC32.EXE
 MCAGENT.EXE
 MCMNHDLR.EXE
 MCSHIELD.EXE
 MCTOOL.EXE
 MCUPDATE.EXE
 MCUPDATE.EXE
 MCVSRTE.EXE
 MCVSSHLD.EXE
 MD.EXE
 MFIN32.EXE
 MFW2EN.EXE
 MFWENG3.02D30.EXE
 MGAVRTCL.EXE
 MGAVRTE.EXE
 MGHTML.EXE
 MGUI.EXE
 MINILOG.EXE
 MMOD.EXE
 MONITOR.EXE
 MOOLIVE.EXE
 MOSTAT.EXE
 MPFAGENT.EXE
 MPFSERVICE.EXE
 MPFTRAY.EXE
 MRFLUX.EXE
 MSAPP.EXE
 MSBB.EXE
 MSBLAST.EXE
 MSCACHE.EXE
 MSCCN32.EXE
 MSCMAN.EXE
 MSCONFIG.EXE
 MSDM.EXE
 MSDOS.EXE
 MSIEXEC16.EXE
 MSINFO32.EXE
 MSLAUGH.EXE
 MSMGT.EXE
 MSMSGRI32.EXE
 MSSMMC32.EXE
 MSSYS.EXE
 MSVXD.EXE
 MU0311AD.EXE
 MWATCH.EXE
 N32SCANW.EXE
 NAV.EXE
 AUTO-PROTECT.NAV80TRY.EXE
 NAVAP.NAVAPSVC.EXE
 NAVAPSVC.EXE
 NAVAPW32.EXE
 NAVDX.EXE
 NAVLU32.EXE
 NAVNT.EXE
 NAVSTUB.EXE
 NAVW32.EXE
 NAVWNT.EXE
 NC2000.EXE
 NCINST4.EXE
 NDD32.EXE
 NEOMONITOR.EXE
 NEOWATCHLOG.EXE
 NETARMOR.EXE
 NETD32.EXE
 NETINFO.EXE
 NETMON.EXE
 NETSCANPRO.EXE
 NETSPYHUNTER-1.2.EXE
 NETSTAT.EXE
 NETUTILS.EXE
 NISSERV.EXE
 NISUM.EXE
 NMAIN.EXE
 NOD32.EXE
 NORMIST.EXE
 NORTON_INTERNET_SECU_3.0_407.EXE
 NOTSTART.EXE
 NPF40_TW_98_NT_ME_2K.EXE
 NPFMESSENGER.EXE
 NPROTECT.EXE
 NPSCHECK.EXE
 NPSSVC.EXE
 NSCHED32.EXE
 NSSYS32.EXE
 NSTASK32.EXE
 NSUPDATE.EXE
 NT.EXE
 NTRTSCAN.EXE
 NTVDM.EXE
 NTXconfig.EXE
 NUI.EXE
 NUPGRADE.EXE
 NUPGRADE.EXE
 NVARCH16.EXE
 NVC95.EXE
 NVSVC32.EXE
 NWINST4.EXE
 NWSERVICE.EXE
 NWTOOL16.EXE
 OLLYDBG.EXE
 ONSRVR.EXE
 OPTIMIZE.EXE
 OSTRONET.EXE
 OTFIX.EXE
 OUTPOST.EXE
 OUTPOST.EXE
 OUTPOSTINSTALL.EXE
 OUTPOSTPROINSTALL.EXE
 PADMIN.EXE
 PANIXK.EXE
 PATCH.EXE
 PAVCL.EXE
 PAVPROXY.EXE
 PAVSCHED.EXE
 PAVW.EXE
 PCFWALLICON.EXE
 PCIP10117_0.EXE
 PCSCAN.EXE
 PDSETUP.EXE
 PERISCOPE.EXE
 PERSFW.EXE
 PERSWF.EXE
 PF2.EXE
 PFWADMIN.EXE
 PGMONITR.EXE
 PINGSCAN.EXE
 PLATIN.EXE
 POP3TRAP.EXE
 POPROXY.EXE
 POPSCAN.EXE
 PORTDETECTIVE.EXE
 PORTMONITOR.EXE
 POWERSCAN.EXE
 PPINUPDT.EXE
 PPTBC.EXE
 PPVSTOP.EXE
 PRIZESURFER.EXE
 PRMT.EXE
 PRMVR.EXE
 PROCDUMP.EXE
 PROCESSMONITOR.EXE
 PROCEXPLORERV1.0.EXE
 PROGRAMAUDITOR.EXE
 PROPORT.EXE
 PROTECTX.EXE
 PSPF.EXE
 PURGE.EXE
 QCONSOLE.EXE
 QSERVER.EXE
 RAPAPP.EXE
 RAV7.EXE
 RAV7WIN.EXE
 RAV8WIN32ENG.EXE
 RAY.EXE
 RB32.EXE
 RCSYNC.EXE
 REALMON.EXE
 REGED.EXE
 REGEDIT.EXE
 REGEDT32.EXE
 RESCUE.EXE
 RESCUE32.EXE
 RRGUARD.EXE
 RSHELL.EXE
 RTVSCAN.EXE
 RTVSCN95.EXE
 RULAUNCH.EXE
 RUN32DLL.EXE
 RUNDLL.EXE
 RUNDLL16.EXE
 RUXDLL32.EXE
 SAFEWEB.EXE
 SAHAGENT.EXE
 SAVE.EXE
 SAVENOW.EXE
 SBSERV.EXE
 SC.EXE
 SCAM32.EXE
 SCAN32.EXE
 SCAN95.EXE
 SCANPM.EXE
 SCRSCAN.EXE
 SETUPVAMEEVAL.EXE
 SETUP_FLOWPROTECTOR_US.EXE
 SFC.EXE
 SGSSFW32.EXE
 SH.EXE
 SHELLSPYINSTALL.EXE
 SHN.EXE
 SHOWBEHIND.EXE
 SMC.EXE
 SMS.EXE
 SMSS32.EXE
 SOAP.EXE
 SOFI.EXE
 SPERM.EXE
 SPF.EXE
 SPHINX.EXE
 SPOLER.EXE
 SPOOLCV.EXE
 SPOOLSV32.EXE
 SPYXX.EXE
 SREXE.EXE
 SRNG.EXE
 SS3EDIT.EXE
 SSGRATE.EXE
 SSG_4104.EXE
 ST2.EXE
 START.EXE
 STCLOADER.EXE
 SUPFTRL.EXE
 SUPPORT.EXE
 SUPPORTER5.EXE
 SVC.EXE
 SVCHOSTC.EXE
 SVCHOSTS.EXE
 SVSHOST.EXE
 SWEEP95.EXE
 SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
 SYMPROXYSVC.EXE
 SYMTRAY.EXE
 SYSEDIT.EXE
 SYSTEM.EXE
 SYSTEM32.EXE
 SYSUPD.EXE
 TASKMG.EXE
 TASKMO.EXE
 TASKMON.EXE
 TAUMON.EXE
 TBSCAN.EXE
 TC.EXE
 TCA.EXE
 TCM.EXE
 TDS-3.EXE
 TDS2-NT.EXE
 TEEKIDS.EXE
 TFAK.EXE
 TFAK5.EXE
 TGBOB.EXE
 TITANIN.EXE
 TITANINXP.EXE
 TRACERT.EXE
 TRICKLER.EXE
 TRJSCAN.EXE
 TRJSETUP.EXE
 TROJANTRAP3.EXE
 TSADBOT.EXE
 TVMD.EXE
 TVTMD.EXE
 UNDOBOOT.EXE
 UPDAT.EXE
 UPDATE.EXE
 UPDATE.EXE
 UPGRAD.EXE
 UTPOST.EXE
 VBCMSERV.EXE
 VBCONS.EXE
 VBUST.EXE
 VBWIN9X.EXE
 VBWINNTW.EXE
 VCSETUP.EXE
 VET32.EXE
 VET95.EXE
 VETTRAY.EXE
 VFSETUP.EXE
 VIR-HELP.EXE
 VIRUSMDPERSONALFIREWALL.EXE
 VNLAN300.EXE
 VNPC3000.EXE
 VPC32.EXE
 VPC42.EXE
 VPFW30S.EXE
 VPTRAY.EXE
 VSCAN40.EXE
 VSCENU6.02D30.EXE
 VSCHED.EXE
 VSECOMR.EXE
 VSHWIN32.EXE
 VSISETUP.EXE
 VSMAIN.EXE
 VSMON.EXE
 VSSTAT.EXE
 VSWIN9XE.EXE
 VSWINNTSE.EXE
 VSWINPERSE.EXE
 W32DSM89.EXE
 W9X.EXE
 WATCHDOG.EXE
 WEBDAV.EXE
 WEBSCANX.EXE
 WEBTRAP.EXE
 WFINDV32.EXE
 WHOSWATCHINGME.EXE
 WIMMUN32.EXE
 WIN-BUGSFIX.EXE
 WIN32.EXE
 WIN32US.EXE
 WINACTIVE.EXE
 WINDOW.EXE
 WINDOWS.EXE
 WININETD.EXE
 WININIT.EXE
 WININITX.EXE
 WINLOGIN.EXE
 WINMAIN.EXE
 WINNET.EXE
 WINPPR32.EXE
 WINRECON.EXE
 WINSERVN.EXE
 WINSSK32.EXE
 WINSTART.EXE
 WINSTART001.EXE
 WINTSK32.EXE
 WINUPDATE.EXE
 WKUFIND.EXE
 WNAD.EXE
 WNT.EXE
 WRADMIN.EXE
 WRCTRL.EXE
 WSBGATE.EXE
 WUPDATER.EXE
 WUPDT.EXE
 WYVERNWORKSFIREWALL.EXE
 XPF202EN.EXE
 ZAPRO.EXE
 ZAPSETUP3001.EXE
 ZATUTOR.EXE
 ZONALM2601.EXE
 ZONEALARM.EXE
 _AVP32.EXE
 _AVPCC.EXE
 _AVPM.EXE
 CMD.EXE
 TASKMGR.EXE
 NEC.EXE
 

In addition the worm modifies HOSTS file to block access to the following websites:

www.symantec.com
 securityresponse.symantec.com
 symantec.com
 www.sophos.com
 sophos.com
 www.mcafee.com
 mcafee.com
 liveupdate.symantecliveupdate.com
 www.viruslist.com
 viruslist.com
 viruslist.com
 f-secure.com
 www.f-secure.com
 kaspersky.com
 kaspersky-labs.com
 www.avp.com
 www.kaspersky.com
 avp.com
 www.networkassociates.com
 networkassociates.com
 www.ca.com
 ca.com
 mast.mcafee.com
 my-etrust.com
 www.my-etrust.com
 download.mcafee.com
 dispatch.mcafee.com
 secure.nai.com
 nai.com
 www.nai.com
 update.symantec.com
 updates.symantec.com
 us.mcafee.com
 liveupdate.symantec.com
 customer.symantec.com
 rads.mcafee.com
 trendmicro.com
 www.trendmicro.com
 www.grisoft.com
 www.microsoft.com
 microsoft.com
 www.msn.com
 www.virustotal.com
 virustotal.com
 www.oxyd.fr
 oxyd.fr
 www.t35.com
 t35.com
 www.t35.net
 t35.net
 

The modified HOSTS file is detected as 'Trojan.Win32.Qhost.cb'.



Detection


F-Secure Anti-Virus detects this worm with the following updates:
Detection Type: PC
Database: 2005-06-06_01



Technical Details: Alexey Podrezov; June 9th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More