Mytob.bd

The worm is a PE executable file 26541 bytes long, packed with a new version of Unpack file compressor.

Installation to system

When run, the worm creates a mutex with the name 'H-B-O-T-H-T-M-L-TEST'. Then it copies itself as TEST3.EXE file to Windows System folder and creates a starup key for this file in the Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WINDOWS SYSTEM" = "test3.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "WINDOWS SYSTEM" = "test3.exe"

The worm also modifies the following key value:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess "Start" = dword:00000004

The worm has the capability to restore its file and startup keys in the Registry if they are modified or deleted.

Spreading in emails

To get the victims' email addresses the worm reads user's Address Book and also scans files with the following extensions on all hard disks and RAM drives:

txt htm sht jsp cgi xml php asp dbx tbb adb pl wab

The worm scans Internet Explorer cache folders and Windows System folder. The worm ignores email addresses with any of the following substrings:

avp syma icrosof msn. hotmail panda sopho borlan inpris example mydomai nodomai ruslis .gov gov. .mil foo. berkeley unix math bsd mit.e gnu fsf. ibm.com google kernel linux fido usenet iana ietf rfc-ed sendmail arin. ripe. isi.e isc.o secur acketst pgp tanford.e utgers.ed mozilla root info samples postmaster webmaster noone nobody nothing anyone someone your you me bugs rating site contact soft no somebody privacy service help not submit feste ca gold-certs the.bat page admin icrosoft support ntivi unix bsd linux listserv certific google accoun spm spam

The worm sends email messages with different subjects. Here's the list of subject texts that the worm uses:

Notice: **Last Warning** *IMPORTANT* Please Validate Your Account Account Alert Important Notification *IMPORTANT* Please Confirm Your Account Security measures Notice of account limitation

The body text of the email messages sent by the worm is static:

Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, Security Department Assistant.

where <domain_name> is the recipient's email account domain name.

It should be noted that the email is composed in HTML format and it contains a URL that looks like that:

http://www./confirm.php?email=

where <domain_name> is the recipient's email account domain name and <recipients_email> is the recipient's email address. Here's an example:

Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, Security Department Assistant.

But actually the URL points to a website with the IP address 62.193.220.183 that should host an infected file. However this website is already down and we can't check what the name of the infected file is and how it is sent to a recipient who clicks on the URL.

The worm fakes the sender's email address. It is composed from the following user names:

Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, Security Department Assistant.

and the recipient's email account domain name.

IRC-controlled Backdoor

When the worm is active it tries to connect to the following IRC server and channel:

Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, Security Department Assistant.

If the connection is successful, the worm creates a bot in that channel. A hacker can send commands to a bot in order to control an infected computer. A hacker can do any of the following:

• change IRC server
• change channel mode
• join specified channel
• change bot's nick (randomly generated)
• kick a user out of a channel
• ping a user/server
• set channel topic
• exit from a channel
• quit from IRC
• get information about an infected system
• download and run a file (update worm's file)
• remove worm from a computer
• send raw command
• start mass-mailing
• stop mass-mailing

Payload

When the worm is active in memory it looks for and terminates processes with the following names:

Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, Security Department Assistant.

In addition the worm modifies HOSTS file to block access to the following websites:

Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, Security Department Assistant.

The modified HOSTS file is detected as 'Trojan.Win32.Qhost.cd'.