Threat Description


Category: Malware
Type: Worm
Platform: W32

Summary is a new variant of Mytob family of worms. Unlike the previous variants which used email and LSASS vulnerability in spreading, this variant only uses emails.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The worm is a PE executable file 33280 bytes long, packed with Yoda's crypt and Morphine.

Installation to system

When run, the worm copies under %SYSTEM% directory using the name '1hellbot.exe' and creates a named mutex 'H-e-l-l-B-o-t-3!!!'.

It then alters registry entries to ensure that it is started when a user logs on or the system is restarted:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]  "HELLBOT TEST" = "1hellbot.exe"   
Spreading in e-mails

The worm spreads by sending its infected attachment to e-mail addresses found on an infected computer. E-mail addresses are harvested from Windows address book and from files with the following extensions:

txt  htm  sht  jsp  cgi  xml  php  asp  dbx  tbb  adb  wab  pl   

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

syma  icrosof  msn.  hotmail  panda  sopho  borlan  inpris  example  mydomai  nodomai  ruslis  .gov  gov.  .mil  foo.  berkeley  unix  math  mit.e  fsf.  google  kernel  linux  fido  usenet  iana  ietf  rfc-ed  sendmail  arin.  ripe.  isi.e  isc.o  secur  acketst  tanford.e  utgers.ed  mozilla  be_loyal:  root  info  samples  postmaster  webmaster  noone  nobody  nothing  anyone  someone  your  bugs  rating  site  contact  soft  somebody  privacy  service  help  submit  feste  gold-certs  the.bat  page  admin  icrosoft  support  ntivi  unix  linux  listserv  certific  google  accoun  fcnz  secur  abuse   

The e-mail message is composed from randomly chosed subject line, body text and additional parts. The worm has a selection of attachment names that it uses for its attachment. The subject of infected e-mails is selected from the following variants:

Notice: **Last Warning**  Your email account access is restricted  Your Email Account is Suspended For Security Reasons  Notice:***Your email account will be suspended***  Security measures  Email Account Suspension  *IMPORTANT* Please Validate Your Email Account  *IMPORTANT* Your Account Has Been Locked   

Body text is selected from the following list:

Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. To unblock your email account acces, please see the attachment. Follow the instructions in the attachment. We have suspended some of your email services, to resolve the problem you should read the attached document. To safeguard your email account from possible termination , please see the attached file. please look at attached document. Account Information Are Attached! 			  

The attachment name is composed using predefined keywords. The keywords set is:

email-info  email-text  email-doc  information  your_details  INFO  IMPORTANT  info-text   

And extension keywords set is:

bat  cmd  exe  scr  pif   

For example:

Bot functionality

The worm tries to connect to IRC channel at predefined address. The attacker who knows channel password can instruct the bot to execute the following actions:

Request worm uptime  Request worm version  Shutdown worm  Download and execute files  Delete files  Update worm   
Other details tries to terminate processes with the following name:

regedit.exe  msconfig.exe  cmd.exe  taskmgr.exe  netstat.exe  zapro.exe  navw32.exe  navapw32.exe  zonealarm.exe  wincfg32.exePandaAVEngine.exe   

It will also update system hosts file in order to disable Anti-Virus companies database updates. Following hostnames are redirected to localhost IP address (   


Detection Type: PC
Database: 2005-05-09_01

Technical Details:Jarkko Turkulainen; May 10th, 2005


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More