Mytob.au

Threat description

Details

CATEGORYMalware
TYPEWorm

Summary

Mytob.au is a new variant of Mytob family of worms. Unlike the previous variants which used email and LSASS vulnerability in spreading, this variant only uses emails.

Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The worm is a PE executable file 33280 bytes long, packed with Yoda's crypt and Morphine.

Installation to system

When run, the worm copies under %SYSTEM% directory using the name '1hellbot.exe' and creates a named mutex 'H-e-l-l-B-o-t-3!!!'.

It then alters registry entries to ensure that it is started when a user logs on or the system is restarted:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"HELLBOT TEST" = "1hellbot.exe"
 
Spreading in e-mails

The worm spreads by sending its infected attachment to e-mail addresses found on an infected computer. E-mail addresses are harvested from Windows address book and from files with the following extensions:

txt
htm
sht
jsp
cgi
xml
php
asp
dbx
tbb
adb
wab
pl
 

The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:

syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
mit.e
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
tanford.e
utgers.ed
mozilla
be_loyal:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
bugs
rating
site
contact
soft
somebody
privacy
service
help
submit
feste
gold-certs
the.bat
page
admin
icrosoft
support
ntivi
unix
linux
listserv
certific
google
accoun
fcnz
secur
abuse
 

The e-mail message is composed from randomly chosed subject line, body text and additional parts. The worm has a selection of attachment names that it uses for its attachment. The subject of infected e-mails is selected from the following variants:

Notice: **Last Warning**
Your email account access is restricted
Your Email Account is Suspended For Security Reasons
Notice:***Your email account will be suspended***
Security measures
Email Account Suspension
*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Account Has Been Locked
 

Body text is selected from the following list:

Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. To unblock your email account acces, please see the attachment. Follow the instructions in the attachment. We have suspended some of your email services, to resolve the problem you should read the attached document. To safeguard your email account from possible termination , please see the attached file. please look at attached document. Account Information Are Attached! 			

The attachment name is composed using predefined keywords. The keywords set is:

email-info
email-text
email-doc
information
your_details
INFO
IMPORTANT
info-text
 

And extension keywords set is:

bat
cmd
exe
scr
pif
 

For example:

IMPORTANT.scr 			
Bot functionality

The worm tries to connect to IRC channel at predefined address. The attacker who knows channel password can instruct the bot to execute the following actions:

Request worm uptime
Request worm version
Shutdown worm
Download and execute files
Delete files
Update worm
 
Other details

Mytob.au tries to terminate processes with the following name:

regedit.exe
msconfig.exe
cmd.exe
taskmgr.exe
netstat.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exePandaAVEngine.exe
 

It will also update system hosts file in order to disable Anti-Virus companies database updates. Following hostnames are redirected to localhost IP address (127.0.0.1):

www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
kaspersky-labs.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com
www.grisoft.com
www.microsoft.com
 
Detection

Detection Type: PC

Database: 2005-05-09_01

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info