Mytob.bd

Threat description

Details

Summary

The Mytob.bd worm-backdoor appeared in the very end of May 2005. It sends e-mails with a URL to a website that hosts an infected file and also contains an IRC-controlled backdoor.

Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The worm is a PE executable file 26541 bytes long, packed with a new version of Unpack file compressor.

Installation to system

When run, the worm creates a mutex with the name 'H-B-O-T-H-T-M-L-TEST'. Then it copies itself as TEST3.EXE file to Windows System folder and creates a starup key for this file in the Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"WINDOWS SYSTEM" = "test3.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"WINDOWS SYSTEM" = "test3.exe"
 

The worm also modifies the following key value:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = dword:00000004
 

The worm has the capability to restore its file and startup keys in the Registry if they are modified or deleted.

Spreading in e-mails

To get the victims' e-mail addresses the worm reads user's Address Book and also scans files with the following extensions on all hard disks and RAM drives:

txt
htm
sht
jsp
cgi
xml
php
asp
dbx
tbb
adb
pl
wab
 

The worm scans Internet Explorer cache folders and Windows System folder. The worm ignores e-mail addresses with any of the following substrings:

avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
feste
ca
gold-certs
the.bat
page
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
spm
spam
 

The worm sends e-mail messages with different subjects. Here's the list of subject texts that the worm uses:

Notice: **Last Warning**
*IMPORTANT* Please Validate Your Account
Account Alert
Important Notification
*IMPORTANT* Please Confirm Your Account
Security measures
Notice of account limitation
 

The body text of the e-mail messages sent by the worm is static:

Dear Valued Member, According to our site policy you will have to confirm your  account by the following link or else your account will be  suspended within 24 hours for security reasons  Thank you for your attention to this question. We apologize for  any inconvenience.  Sincerely, Security Department Assistant.  

where <domain_name> is the recipient's e-mail account domain name.

It should be noted that the e-mail is composed in HTML format and it contains a URL that looks like that:

http://www./confirm.php?email= 			  

where <domain_name> is the recipient's e-mail account domain name and <recipients_email> is the recipient's e-mail address. Here's an example:

Dear Valued Member, According to our site policy you will have to confirm your
account by the following link or else your account will be
suspended within 24 hours for security reasons
Thank you for your attention to this question. We apologize for
any inconvenience.
Sincerely, Security Department Assistant.

But actually the URL points to a website with the IP address 62.193.220.183 that should host an infected file. However this website is already down and we can't check what the name of the infected file is and how it is sent to a recipient who clicks on the URL.

The worm fakes the sender's e-mail address. It is composed from the following user names:

Dear Valued Member, According to our site policy you will have to confirm your
account by the following link or else your account will be
suspended within 24 hours for security reasons
Thank you for your attention to this question. We apologize for
any inconvenience.
Sincerely, Security Department Assistant.

and the recipient's e-mail account domain name.

IRC-controlled Backdoor

When the worm is active it tries to connect to the following IRC server and channel:

Dear Valued Member, According to our site policy you will have to confirm your
account by the following link or else your account will be
suspended within 24 hours for security reasons
Thank you for your attention to this question. We apologize for
any inconvenience.
Sincerely, Security Department Assistant.

If the connection is successful, the worm creates a bot in that channel. A hacker can send commands to a bot in order to control an infected computer. A hacker can do any of the following:

  • change IRC server
  • change channel mode
  • join specified channel
  • change bot's nick (randomly generated)
  • kick a user out of a channel
  • ping a user/server
  • set channel topic
  • exit from a channel
  • quit from IRC
  • get information about an infected system
  • download and run a file (update worm's file)
  • remove worm from a computer
  • send raw command
  • start mass-mailing
  • stop mass-mailing
Payload

When the worm is active in memory it looks for and terminates processes with the following names:

Dear Valued Member, According to our site policy you will have to confirm your
account by the following link or else your account will be
suspended within 24 hours for security reasons
Thank you for your attention to this question. We apologize for
any inconvenience.
Sincerely, Security Department Assistant.

In addition the worm modifies HOSTS file to block access to the following websites:

Dear Valued Member, According to our site policy you will have to confirm your
account by the following link or else your account will be
suspended within 24 hours for security reasons
Thank you for your attention to this question. We apologize for
any inconvenience.
Sincerely, Security Department Assistant.

The modified HOSTS file is detected as 'Trojan.Win32.Qhost.cd'.

Detection

F-Secure Anti-Virus detects this worm with the following updates:

Detection Type: PC

Database: 2005-06-01_02

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info