Threat Description

Mytob.do

Details

Aliases:Mytob.do, Net-Worm.Win32.Mytob.do
Category:Malware
Type:Worm
Platform:W32

Summary



The Mytob.do is a typical variant of Mytob. It combines the functionality of IRC bot and mass-mailing worm.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Installation to system

When run, the worm copies itself as 'dbg32.exe' to Windows System folder and creates the following registry startup keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "Debugger" = "dbg32.exe"
 

The worm also modifies the following key value:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
 "Start" = dword:00000004
 

The worm drops and executes a file named 'syst.exe' to Windows System folder. This file is a trojan downloader detected as 'Trojan-Downloader.Win32.Monurl.gen'.

Spreading in e-mails

To get the victims' e-mail addresses the worm reads user's Address Book and also scans files with the following extensions on all hard disks and RAM drives:

txt
 htm
 sht
 jsp
 cgi
 xml
 php
 asp
 dbx
 tbb
 adb
 wab
 

The worm ignores e-mail addresses with any of the following substrings:

abuse
 accoun
 acketst
 admin
 anyone
 arin.
 avp
 be_loyal:
 berkeley
 borlan
 bsd
 bugs
 certific
 example
 fcnz
 fido
 foo.
 fsf.
 gnu
 google
 .gov
 gov.
 hotmail
 iana
 ibm.com
 icrosof
 icrosoft
 ietf
 info
 inpris
 isc.o
 isi.e
 kernel
 linux
 listserv
 math
 .mil
 mit.e
 mozilla
 msn.
 mydomai
 nobody
 nodomai
 noone
 nothing
 ntivi
 panda
 pgp
 postmaster
 rating
 rfc-ed
 ripe.
 root
 ruslis
 samples
 secur
 sendmail
 site
 someone
 sopho
 spm
 support
 syma
 tanford.e
 unix
 usenet
 utgers.ed
 webmaster
 www
 you
 your
 contact
 soft
 somebody
 privacy
 service
 help
 not
 submit
 feste
 gold-certs
 the.bat
 page
 support
 administrator
 mail
 service
 admin
 info
 register
 webmaster
 

The worm sends e-mail messages with different subjects. Here's the list of subject texts that the worm uses:

Your password has been updated
 Your password has been successfully updated
 You have successfully updated your password
 Your new account password is approved
 Your Account is Suspended
 *DETECTED* Online User Violation
 Your Account is Suspended For Security Reasons
 Warning Message: Your services near to be closed.
 Important Notification
 Members Support
 Security measures
 Email Account Suspension
 Notice of account limitation
 

The body text of the e-mail messages is one of the following:

Dear user <user>,
You have successfully updated the password of your <domain> account.
If you did not authorize this change or if you need assistance with your
 account, please contact <domain> customer service at:
 Thank you for using <domain>!
 The <domain> Support Team
  +++ Attachment: No Virus (Clean)
  
 +++ <domain> Antivirus - www.<domain>
 Dear user <user>,
It has come to our attention that your <domain> User Profile ( x ) records are
 out of date. For further details see the attached document.
 Thank you for using <domain>!
 The <domain> Support Team
 +++ Attachment: No Virus (Clean)
 
 +++ <domain> Antivirus - www.<domain>
 Dear <domain> Member,
 We have temporarily suspended your email account <UserEmailAddress>.
 This might be due to either of the following reasons:
 1. A recent change in your personal information (i.e. change of address).
 2. Submiting invalid information during the initial sign up process.
 3. An innability to accurately verify your selected option of subscription due
 to an internal error within our processors.
 See the details to reactivate your <domain> account.
 Sincerely,The <domain> Support Team
 +++ Attachment: No Virus (Clean)
 
 +++ <domain> Antivirus - www.<domain>
 Dear <domain> Member,
 Your e-mail account was used to send a huge amount of unsolicited spam messages
 during the recent week. If you could please take 5-10 minutes out of your
 online experience and confirm the attached document so you will not run into
 any future problems with the online service.
 If you choose to ignore our request, you leave us no choice but to cancel your
 membership.
 Virtually yours,
 The <domain> Support Team
 +++ Attachment: No Virus found
 
 +++ <domain> Antivirus - www.<domain>
 

Where &lt;user&gt; is the username and &lt;domain&gt; is the domain part of the e-mail recipient.

The attachement filename is usually a ZIP file with one of following names:

updated-password
 email-password
 new-password
 password
 approved-password
 account-password
 accepted-password
 important-details
 account-details
 email-details
 account-info
 document
 readme
 account-report
 

The attached filename consists of one of the above keywords followed by extension 'doc', 'htm' or 'txt', a random amount of space characters and the final extension that can be one the following:

.pif
 .scr
 .exe
 .cmd
 .bat
 

For example, the filename can be 'account-report.txt&lt;multiple spaces&gt;.scr'.

IRC-controlled Backdoor

When the worm is active it tries to connect to the following IRC server and channel:

rax.oucihax.info
 #skp
 

If the connection is successful, the worm creates a bot in that channel. A hacker can send commands to a bot in order to control an infected computer. A hacker can do any of the following:

  • change IRC server
  • change channel mode
  • join specified channel
  • change bot's nick (randomly generated)
  • kick a user out of a channel
  • ping a user/server
  • set channel topic
  • exit from a channel
  • quit from IRC
  • get information about an infected system
  • download and run a file (update worm's file)
  • remove worm from a computer
  • send raw command
  • start mass-mailing
  • stop mass-mailing


Detection


F-Secure Anti-Virus detects this worm with the following updates:
Detection Type: PC
Database: 2005-11-24_04



Technical Details: Jarkko Turkulainen; Nov 25th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More