Classification

Category :

Malware

Type :

Worm

Aliases :

Mytob.au, Net-Worm.Win32.Mytob.au

Summary

Mytob.au is a new variant of Mytob family of worms. Unlike the previous variants which used email and LSASS vulnerability in spreading, this variant only uses emails.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm is a PE executable file 33280 bytes long, packed with Yoda's crypt and Morphine.

Installation to system

When run, the worm copies under %SYSTEM% directory using the name '1hellbot.exe' and creates a named mutex 'H-e-l-l-B-o-t-3!!!'.

It then alters registry entries to ensure that it is started when a user logs on or the system is restarted:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"HELLBOT TEST" = "1hellbot.exe"
 

Spreading in emails

The worm spreads by sending its infected attachment to email addresses found on an infected computer. email addresses are harvested from Windows address book and from files with the following extensions:

txt
htm
sht
jsp
cgi
xml
php
asp
dbx
tbb
adb
wab
pl
 

The worm avoids sending emails to email addresses that contain any of the following substrings:

syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
mit.e
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
tanford.e
utgers.ed
mozilla
be_loyal:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
bugs
rating
site
contact
soft
somebody
privacy
service
help
submit
feste
gold-certs
the.bat
page
admin
icrosoft
support
ntivi
unix
linux
listserv
certific
google
accoun
fcnz
secur
abuse
 

The email message is composed from randomly chosed subject line, body text and additional parts. The worm has a selection of attachment names that it uses for its attachment. The subject of infected emails is selected from the following variants:

Notice: **Last Warning**
Your email account access is restricted
Your Email Account is Suspended For Security Reasons
Notice:***Your email account will be suspended***
Security measures
Email Account Suspension
*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Account Has Been Locked
 

Body text is selected from the following list:

Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. To unblock your email account acces, please see the attachment. Follow the instructions in the attachment. We have suspended some of your email services, to resolve the problem you should read the attached document. To safeguard your email account from possible termination , please see the attached file. please look at attached document. Account Information Are Attached! 			

The attachment name is composed using predefined keywords. The keywords set is:

email-info
email-text
email-doc
information
your_details
INFO
IMPORTANT
info-text
 

And extension keywords set is:

bat
cmd
exe
scr
pif
 

For example:

IMPORTANT.scr 			

Bot functionality

The worm tries to connect to IRC channel at predefined address. The attacker who knows channel password can instruct the bot to execute the following actions:

Request worm uptime
Request worm version
Shutdown worm
Download and execute files
Delete files
Update worm
 

Other details

Mytob.au tries to terminate processes with the following name:

regedit.exe
msconfig.exe
cmd.exe
taskmgr.exe
netstat.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exePandaAVEngine.exe
 

It will also update system hosts file in order to disable Anti-Virus companies database updates. Following hostnames are redirected to localhost IP address (127.0.0.1):

www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
kaspersky-labs.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com
www.grisoft.com
www.microsoft.com