Classification

Category :

Malware

Type :

-

Aliases :

Mytob.bd, Net-Worm.Win32.Mytob.bd, W32/Mytob.bd@mm

Summary

The Mytob.bd worm-backdoor appeared in the very end of May 2005. It sends emails with a URL to a website that hosts an infected file and also contains an IRC-controlled backdoor.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm is a PE executable file 26541 bytes long, packed with a new version of Unpack file compressor.

Installation to system

When run, the worm creates a mutex with the name 'H-B-O-T-H-T-M-L-TEST'. Then it copies itself as TEST3.EXE file to Windows System folder and creates a starup key for this file in the Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"WINDOWS SYSTEM" = "test3.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"WINDOWS SYSTEM" = "test3.exe"
 

The worm also modifies the following key value:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = dword:00000004
 

The worm has the capability to restore its file and startup keys in the Registry if they are modified or deleted.

Spreading in emails

To get the victims' email addresses the worm reads user's Address Book and also scans files with the following extensions on all hard disks and RAM drives:

txt
htm
sht
jsp
cgi
xml
php
asp
dbx
tbb
adb
pl
wab
 

The worm scans Internet Explorer cache folders and Windows System folder. The worm ignores email addresses with any of the following substrings:

avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
spm
spam
 

The worm sends email messages with different subjects. Here's the list of subject texts that the worm uses:

Notice: **Last Warning**
*IMPORTANT* Please Validate Your Account
Account Alert
Important Notification
*IMPORTANT* Please Confirm Your Account
Security measures
Notice of account limitation
 

The body text of the email messages sent by the worm is static:

Dear Valued Member, According to our site policy you will have to confirm your  account by the following link or else your account will be  suspended within 24 hours for security reasons  Thank you for your attention to this question. We apologize for  any inconvenience.  Sincerely, Security Department Assistant.  

where <domain_name> is the recipient's email account domain name.

It should be noted that the email is composed in HTML format and it contains a URL that looks like that:

http://www./confirm.php?email= 			  

where <domain_name> is the recipient's email account domain name and <recipients_email> is the recipient's email address. Here's an example:

Dear Valued Member, According to our site policy you will have to confirm your
account by the following link or else your account will be
suspended within 24 hours for security reasons
Thank you for your attention to this question. We apologize for
any inconvenience.
Sincerely, Security Department Assistant.

But actually the URL points to a website with the IP address 62.193.220.183 that should host an infected file. However this website is already down and we can't check what the name of the infected file is and how it is sent to a recipient who clicks on the URL.

The worm fakes the sender's email address. It is composed from the following user names:

Dear Valued Member, According to our site policy you will have to confirm your
account by the following link or else your account will be
suspended within 24 hours for security reasons
Thank you for your attention to this question. We apologize for
any inconvenience.
Sincerely, Security Department Assistant.

and the recipient's email account domain name.

IRC-controlled Backdoor

When the worm is active it tries to connect to the following IRC server and channel:

Dear Valued Member, According to our site policy you will have to confirm your
account by the following link or else your account will be
suspended within 24 hours for security reasons
Thank you for your attention to this question. We apologize for
any inconvenience.
Sincerely, Security Department Assistant.

If the connection is successful, the worm creates a bot in that channel. A hacker can send commands to a bot in order to control an infected computer. A hacker can do any of the following:

  • change IRC server
  • change channel mode
  • join specified channel
  • change bot's nick (randomly generated)
  • kick a user out of a channel
  • ping a user/server
  • set channel topic
  • exit from a channel
  • quit from IRC
  • get information about an infected system
  • download and run a file (update worm's file)
  • remove worm from a computer
  • send raw command
  • start mass-mailing
  • stop mass-mailing

Payload

When the worm is active in memory it looks for and terminates processes with the following names:

Dear Valued Member, According to our site policy you will have to confirm your
account by the following link or else your account will be
suspended within 24 hours for security reasons
Thank you for your attention to this question. We apologize for
any inconvenience.
Sincerely, Security Department Assistant.

In addition the worm modifies HOSTS file to block access to the following websites:

Dear Valued Member, According to our site policy you will have to confirm your
account by the following link or else your account will be
suspended within 24 hours for security reasons
Thank you for your attention to this question. We apologize for
any inconvenience.
Sincerely, Security Department Assistant.

The modified HOSTS file is detected as 'Trojan.Win32.Qhost.cd'.