Threat Description

Worm: ​W32/Mytob.A

Details

Category: Malware
Type: Worm
Platform: W32
Aliases: Worm:​W32/Mytob.A

Summary


Worm:W32/Mytob.A is a worm that has functionality similar to the MyDoom worm family functionality. This worm includes code to spread over a network by exploiting the known LSASS vulnerability.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


In addition to propagating, Mytob.A is also able to function as an IRC bot.

The worm is a PE executable file 42512 bytes long, packed with FSG file compressor.

Installation

When run, the worm copies under %SYSTEM% directory using the name 'msnmsgr.exe' and creates a mutex named 'D66'.

It will then alters the registry entries to ensure that it gets started when a user logs on or the system is restarted:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
  • [HKCU\SYSTEM\CurrentControlSet\Control\Lsa] "MSN" = "msnmsgr.exe"
Payload

The worm tries to connect to an IRC channel at a predefined address using TCP port 6667. An attacker who knows channel password can instruct the created bot to execute the following actions:

  • Request worm uptime
  • Request worm version
  • Shutdown worm
  • Download and execute files
  • Delete files
  • Update worm
Propagation (E-mail)

The worm spreads by sending its infected attachment to e-mail addresses found on an infected computer. E-mail addresses are harvested from Windows Address Book (WAB) and from files with the following extensions:

  • htm
  • sht
  • php
  • asp
  • dbx
  • tbb
  • adb
  • wab
  • pl

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

  • accoun
  • acketst
  • admin
  • anyone
  • arin.
  • be_loyal
  • berkeley
  • borlan
  • bugs
  • certific
  • contact
  • .edu
  • example
  • feste
  • fido
  • foo.
  • fsf.
  • gold-certs
  • google
  • .gov
  • gov.
  • help
  • hotmail
  • iana
  • ibm.com
  • icrosof
  • icrosoft
  • ietf
  • info
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • listserv
  • math
  • .mil
  • mit.e
  • mozilla
  • msn.
  • mydomai
  • nobody
  • nodomai
  • noone
  • nothing
  • ntivi
  • page
  • panda
  • postmaster
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • root
  • ruslis
  • samples
  • secur
  • sendmail
  • service
  • site
  • soft
  • somebody
  • someone
  • sopho
  • submit
  • support
  • syma
  • tanford.e
  • the.bat
  • unix
  • usenet
  • utgers.ed
  • webmaster
  • your

The e-mail message is composed from randomly chosen subject line, body text and additional parts. The worm has a selection of attachment names that it uses for its attachment. The subject of infected e-mails is selected from the following variants:

  • Error
  • Status
  • Server Report
  • Mail Transaction Failed
  • Mail Delivery System
  • hello
  • hi

The attachment name is composed using the following predefined keywords:

  • body
  • message
  • test
  • data
  • file
  • text
  • doc

The extension for the filename can be one of the following:

  • bat
  • cmd
  • exe
  • scr
  • pif

For example:

  • body.scr
Propagation (Exploit)

The worm spreads to remote computers using LSASS vulnerability. It contacts remote computers on TCP port 445, exploits the vulnerability and copies its file to a remote system.

Variants

Mytob.B is a minor variant of Mytob.A that includes functionality from the MyDoom family of e-mail worms and IRC-bots.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More