Threat Description

Mytob.bf

Details

Aliases: Mytob.bf, Net-Worm.Win32.Mytob.bf, W32/Mytob.bf@mm
Category: Malware
Type: Worm
Platform: W32

Summary


The Mytob.bf worm-backdoor appeared in the end of May - beginning of June 2005. It sends e-mails with an infected attachment and also contains an IRC-controlled backdoor. It is a close variant of Mytob.bd worm.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details


The worm is a PE executable file 62464 bytes long, packed with UPX, PEncrypt and YodaProt file compressors.

Installation to system

When run, the worm creates a mutex with the name 'Lien-Van-de-Kelder'. Then it copies itself as 'www.lienvandekelder.be.exe' file to Windows System folder and creates a starup key for this file in the Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "Lien Van de Kelder" = "www.lienvandekelder.be.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]  "Lien Van de Kelder" = "www.lienvandekelder.be.exe"   

The worm also modifies the following key value:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess  "Start" = dword:00000004   

The worm has the capability to restore its file and startup keys in the Registry if they are modified or deleted.

Spreading in e-mails

To get the victims' e-mail addresses the worm reads user's Address Book and also scans files with the following extensions on all hard disks and RAM drives:

txt  htm  sht  jsp  cgi  xml  php  asp  dbx  tbb  adb  pl  wab   

The worm scans Internet Explorer cache folders and Windows System folder. The worm ignores e-mail addresses with any of the following substrings:

avp  syma  icrosof  msn.  hotmail  panda  sopho  borlan  inpris  example  mydomai  nodomai  ruslis  .gov  gov.  .mil  foo.  berkeley  unix  math  bsd  mit.e  gnu  fsf.  ibm.com  google  kernel  linux  fido  usenet  iana  ietf  rfc-ed  sendmail  arin.  ripe.  isi.e  isc.o  secur  acketst  pgp  tanford.e  utgers.ed  mozilla  root  info  samples  postmaster  webmaster  noone  nobody  nothing  anyone  someone  your  you  me  bugs  rating  site  contact  soft  no  somebody  privacy  service  help  not  submit  feste  ca  gold-certs  the.bat  page  admin  icrosoft  support  ntivi  unix  bsd  linux  listserv  certific  google  accoun  spm  spam   

The worm sends e-mail messages with different subjects. Here's the list of subjects that the worm uses:

Notice: **Last Warning**  *DETECTED* Online User Violation  Your Email Account is Suspended For Security Reasons  Account Alert  Important Notification  *WARNING* Your Email Account Will Be Closed  Security measures  Email Account Suspension  Notice of account limitation   

The message body can be empty, contain garbage or any of the following texts:

The original message has been included as an attachment. Once you have completed the form in the attached file , your  account records will not be interrupted and will continue as normal.  We regret to inform you that your account has been suspended due  to the violation of our site policy, more info is attached. We attached some important information regarding your account. Please read the attached document and follow it's instructions. 			  

The worm attaches itself to an infected message. The attachment is usually a ZIP archive with one of the following names:

email-info  email-doc  information  account-details  document  INFO  instructions  info-text  information   

The worm's file located inside a ZIP archive has one of the above names and 2 extensions. The first extension is randomly selected from the following variants:

tmp  doc  htm  txt   

The second extension is randomly selected from the following variants:

pif  scr  exe  cmd  bat   

The worm fakes the sender's e-mail address. It is composed from the following user names:

support  administrator  mail  service  admin  info  register  webmaster   

and the recipient's e-mail account domain name.

IRC-controlled Backdoor

When the worm is active it tries to connect to the following IRC server and channel:

irc.blackcarder.net  #Lien   

If the connection is successful, the worm creates a bot in that channel. A hacker can send commands to a bot in order to control an infected computer. A hacker can do any of the following:

  • change IRC server
  • change channel mode
  • join specified channel
  • change bot's nick (randomly generated)
  • kick a user out of a channel
  • ping a user/server
  • set channel topic
  • exit from a channel
  • quit from IRC
  • get information about an infected system
  • download and run a file (update worm's file)
  • remove worm from a computer
  • send raw command
  • start mass-mailing
  • stop mass-mailing
Payload

When the worm is active in memory it looks for and terminates processes with the following names:

ACKWIN32.EXE  ADAWARE.EXE  ADVXDWIN.EXE  AGENTSVR.EXE  AGENTW.EXE  ALERTSVC.EXE  ALEVIR.EXE  ALOGSERV.EXE  AMON9X.EXE  ANTI-TROJAN.EXE  ANTIVIRUS.EXE  ANTS.EXE  APIMONITOR.EXE  APLICA32.EXE  APVXDWIN.EXE  ARR.EXE  ATCON.EXE  ATGUARD.EXE  ATRO55EN.EXE  ATUPDATER.EXE  ATUPDATER.EXE  ATWATCH.EXE  AU.EXE  AUPDATE.EXE  AUPDATE.EXE  AUTODOWN.EXE  AUTODOWN.EXE  AUTOTRACE.EXE  AUTOTRACE.EXE  AUTOUPDATE.EXE  AUTOUPDATE.EXE  AVCONSOL.EXE  AVE32.EXE  AVGCC32.EXE  AVGCTRL.EXE  AVGNT.EXE  AVGSERV.EXE  AVGSERV9.EXE  AVGUARD.EXE  AVGW.EXE  AVKPOP.EXE  AVKSERV.EXE  AVKSERVICE.EXE  AVKWCTl9.EXE  AVLTMAIN.EXE  AVNT.EXE  AVP.EXE  AVP32.EXE  AVPCC.EXE  AVPDOS32.EXE  AVPM.EXE  AVPTC32.EXE  AVPUPD.EXE  AVPUPD.EXE  AVSCHED32.EXE  AVSYNMGR.EXE  AVWINNT.EXE  AVWUPD.EXE  AVWUPD32.EXE  AVWUPD32.EXE  AVWUPSRV.EXE  AVXMONITOR9X.EXE  AVXMONITORNT.EXE  AVXQUAR.EXE  AVXQUAR.EXE  BACKWEB.EXE  BARGAINS.EXE  BD_PROFESSIONAL.EXE  BEAGLE.EXE  BELT.EXE  BIDEF.EXE  BIDSERVER.EXE  BIPCP.EXE  BIPCPEVALSETUP.EXE  BISP.EXE  BLACKD.EXE  BLACKICE.EXE  BLSS.EXE  BOOTCONF.EXE  BOOTWARN.EXE  BORG2.EXE  BPC.EXE  BRASIL.EXE  BS120.EXE  BUNDLE.EXE  BVT.EXE  CCAPP.EXE  CCEVTMGR.EXE  CCPXYSVC.EXE  CDP.EXE  CFD.EXE  CFGWIZ.EXE  CFIADMIN.EXE  CFIAUDIT.EXE  CFIAUDIT.EXE  CFINET.EXE  CFINET32.EXE  CLEAN.EXE  CLEANER.EXE  CLEANER3.EXE  CLEANPC.EXE  CLICK.EXE  CMD32.EXE  CMESYS.EXE  CMGRDIAN.EXE  CMON016.EXE  CONNECTIONMONITOR.EXE  CPD.EXE  CPF9X206.EXE  CPFNT206.EXE  CTRL.EXE  CV.EXE  CWNB181.EXE  CWNTDWMO.EXE  CLAW95CF.EXE  DATEMANAGER.EXE  DCOMX.EXE  DEFALERT.EXE  DEFSCANGUI.EXE  DEFWATCH.EXE  DEPUTY.EXE  DIVX.EXE  DLLCACHE.EXE  DLLREG.EXE  DOORS.EXE  DPF.EXE  DPFSETUP.EXE  DPPS2.EXE  DRWATSON.EXE  DRWEB32.EXE  DRWEBUPW.EXE  DSSAGENT.EXE  DVP95.EXE  DVP95_0.EXE  ECENGINE.EXE  EFPEADM.EXE  EMSW.EXE  ENT.EXE  ESAFE.EXE  ESCANHNT.EXE  ESCANV95.EXE  ESPWATCH.EXE  ETHEREAL.EXE  ETRUSTCIPE.EXE  EVPN.EXE  EXANTIVIRUS-CNET.EXE  EXE.AVXW.EXE  EXPERT.EXE  EXPLORE.EXE  F-PROT.EXE  F-PROT95.EXE  F-STOPW.EXE  FAMEH32.EXE  FAST.EXE  FCH32.EXE  FIH32.EXE  FINDVIRU.EXE  FIREWALL.EXE  FNRB32.EXE  FP-WIN.EXE  FP-WIN_TRIAL.EXE  FPROT.EXE  FRW.EXE  FSAA.EXE  FSAV.EXE  FSAV32.EXE  FSAV530STBYB.EXE  FSAV530WTBYB.EXE  FSAV95.EXE  FSGK32.EXE  FSM32.EXE  FSMA32.EXE  FSMB32.EXE  GATOR.EXE  GBMENU.EXE  GBPOLL.EXE  GENERICS.EXE  GMT.EXE  GUARD.EXE  GUARDDOG.EXE  HACKTRACERSETUP.EXE  HBINST.EXE  HBSRV.EXE  HOTACTIO.EXE  HOTPATCH.EXE  HTLOG.EXE  HTPATCH.EXE  HWPE.EXE  HXDL.EXE  HXIUL.EXE  IAMAPP.EXE  IAMSERV.EXE  IAMSTATS.EXE  IBMASN.EXE  IBMAVSP.EXE  ICLOADNT.EXE  ICMON.EXE  ICSUPP95.EXE  ICSUPPNT.EXE  IDLE.EXE  IEDLL.EXE  IEDRIVER.EXE  IEXPLORER.EXE  IFACE.EXE  IFW2000.EXE  INETLNFO.EXE  INFUS.EXE  INFWIN.EXE  INIT.EXE  INTDEL.EXE  INTREN.EXE  IOMON98.EXE  ISTSVC.EXE  JAMMER.EXE  JDBGMRG.EXE  JEDI.EXE  KAVLITE40ENG.EXE  KAVPERS40ENG.EXE  KAVPF.EXE  KAZZA.EXE  KEENVALUE.EXE  KERIO-PF-213-EN-WIN.EXE  KERIO-WRL-421-EN-WIN.EXE  KERIO-WRP-421-EN-WIN.EXE  KERNEL32.EXE  KILLPROCESSSETUP161.EXE  LAUNCHER.EXE  LDNETMON.EXE  LDPRO.EXE  LDPROMENU.EXE  LDSCAN.EXE  LNETINFO.EXE  LOADER.EXE  LOCALNET.EXE  LOCKDOWN.EXE  LOCKDOWN2000.EXE  LOOKOUT.EXE  LORDPE.EXE  LSETUP.EXE  LUALL.EXE  LUALL.EXE  LUAU.EXE  LUCOMSERVER.EXE  LUINIT.EXE  LUSPT.EXE  MAPISVC32.EXE  MCAGENT.EXE  MCMNHDLR.EXE  MCSHIELD.EXE  MCTOOL.EXE  MCUPDATE.EXE  MCUPDATE.EXE  MCVSRTE.EXE  MCVSSHLD.EXE  MD.EXE  MFIN32.EXE  MFW2EN.EXE  MFWENG3.02D30.EXE  MGAVRTCL.EXE  MGAVRTE.EXE  MGHTML.EXE  MGUI.EXE  MINILOG.EXE  MMOD.EXE  MONITOR.EXE  MOOLIVE.EXE  MOSTAT.EXE  MPFAGENT.EXE  MPFSERVICE.EXE  MPFTRAY.EXE  MRFLUX.EXE  MSAPP.EXE  MSBB.EXE  MSBLAST.EXE  MSCACHE.EXE  MSCCN32.EXE  MSCMAN.EXE  MSCONFIG.EXE  MSDM.EXE  MSDOS.EXE  MSIEXEC16.EXE  MSINFO32.EXE  MSLAUGH.EXE  MSMGT.EXE  MSMSGRI32.EXE  MSSMMC32.EXE  MSSYS.EXE  MSVXD.EXE  MU0311AD.EXE  MWATCH.EXE  N32SCANW.EXE  NAV.EXE  AUTO-PROTECT.NAV80TRY.EXE  NAVAP.NAVAPSVC.EXE  NAVAPSVC.EXE  NAVAPW32.EXE  NAVDX.EXE  NAVLU32.EXE  NAVNT.EXE  NAVSTUB.EXE  NAVW32.EXE  NAVWNT.EXE  NC2000.EXE  NCINST4.EXE  NDD32.EXE  NEOMONITOR.EXE  NEOWATCHLOG.EXE  NETARMOR.EXE  NETD32.EXE  NETINFO.EXE  NETMON.EXE  NETSCANPRO.EXE  NETSPYHUNTER-1.2.EXE  NETSTAT.EXE  NETUTILS.EXE  NISSERV.EXE  NISUM.EXE  NMAIN.EXE  NOD32.EXE  NORMIST.EXE  NORTON_INTERNET_SECU_3.0_407.EXE  NOTSTART.EXE  NPF40_TW_98_NT_ME_2K.EXE  NPFMESSENGER.EXE  NPROTECT.EXE  NPSCHECK.EXE  NPSSVC.EXE  NSCHED32.EXE  NSSYS32.EXE  NSTASK32.EXE  NSUPDATE.EXE  NT.EXE  NTRTSCAN.EXE  NTVDM.EXE  NTXconfig.EXE  NUI.EXE  NUPGRADE.EXE  NUPGRADE.EXE  NVARCH16.EXE  NVC95.EXE  NVSVC32.EXE  NWINST4.EXE  NWSERVICE.EXE  NWTOOL16.EXE  OLLYDBG.EXE  ONSRVR.EXE  OPTIMIZE.EXE  OSTRONET.EXE  OTFIX.EXE  OUTPOST.EXE  OUTPOST.EXE  OUTPOSTINSTALL.EXE  OUTPOSTPROINSTALL.EXE  PADMIN.EXE  PANIXK.EXE  PATCH.EXE  PAVCL.EXE  PAVPROXY.EXE  PAVSCHED.EXE  PAVW.EXE  PCFWALLICON.EXE  PCIP10117_0.EXE  PCSCAN.EXE  PDSETUP.EXE  PERISCOPE.EXE  PERSFW.EXE  PERSWF.EXE  PF2.EXE  PFWADMIN.EXE  PGMONITR.EXE  PINGSCAN.EXE  PLATIN.EXE  POP3TRAP.EXE  POPROXY.EXE  POPSCAN.EXE  PORTDETECTIVE.EXE  PORTMONITOR.EXE  POWERSCAN.EXE  PPINUPDT.EXE  PPTBC.EXE  PPVSTOP.EXE  PRIZESURFER.EXE  PRMT.EXE  PRMVR.EXE  PROCDUMP.EXE  PROCESSMONITOR.EXE  PROCEXPLORERV1.0.EXE  PROGRAMAUDITOR.EXE  PROPORT.EXE  PROTECTX.EXE  PSPF.EXE  PURGE.EXE  QCONSOLE.EXE  QSERVER.EXE  RAPAPP.EXE  RAV7.EXE  RAV7WIN.EXE  RAV8WIN32ENG.EXE  RAY.EXE  RB32.EXE  RCSYNC.EXE  REALMON.EXE  REGED.EXE  REGEDIT.EXE  REGEDT32.EXE  RESCUE.EXE  RESCUE32.EXE  RRGUARD.EXE  RSHELL.EXE  RTVSCAN.EXE  RTVSCN95.EXE  RULAUNCH.EXE  RUN32DLL.EXE  RUNDLL.EXE  RUNDLL16.EXE  RUXDLL32.EXE  SAFEWEB.EXE  SAHAGENT.EXE  SAVE.EXE  SAVENOW.EXE  SBSERV.EXE  SC.EXE  SCAM32.EXE  SCAN32.EXE  SCAN95.EXE  SCANPM.EXE  SCRSCAN.EXE  SETUPVAMEEVAL.EXE  SETUP_FLOWPROTECTOR_US.EXE  SFC.EXE  SGSSFW32.EXE  SH.EXE  SHELLSPYINSTALL.EXE  SHN.EXE  SHOWBEHIND.EXE  SMC.EXE  SMS.EXE  SMSS32.EXE  SOAP.EXE  SOFI.EXE  SPERM.EXE  SPF.EXE  SPHINX.EXE  SPOLER.EXE  SPOOLCV.EXE  SPOOLSV32.EXE  SPYXX.EXE  SREXE.EXE  SRNG.EXE  SS3EDIT.EXE  SSGRATE.EXE  SSG_4104.EXE  ST2.EXE  START.EXE  STCLOADER.EXE  SUPFTRL.EXE  SUPPORT.EXE  SUPPORTER5.EXE  SVC.EXE  SVCHOSTC.EXE  SVCHOSTS.EXE  SVSHOST.EXE  SWEEP95.EXE  SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE  SYMPROXYSVC.EXE  SYMTRAY.EXE  SYSEDIT.EXE  SYSTEM.EXE  SYSTEM32.EXE  SYSUPD.EXE  TASKMG.EXE  TASKMO.EXE  TASKMON.EXE  TAUMON.EXE  TBSCAN.EXE  TC.EXE  TCA.EXE  TCM.EXE  TDS-3.EXE  TDS2-NT.EXE  TEEKIDS.EXE  TFAK.EXE  TFAK5.EXE  TGBOB.EXE  TITANIN.EXE  TITANINXP.EXE  TRACERT.EXE  TRICKLER.EXE  TRJSCAN.EXE  TRJSETUP.EXE  TROJANTRAP3.EXE  TSADBOT.EXE  TVMD.EXE  TVTMD.EXE  UNDOBOOT.EXE  UPDAT.EXE  UPDATE.EXE  UPDATE.EXE  UPGRAD.EXE  UTPOST.EXE  VBCMSERV.EXE  VBCONS.EXE  VBUST.EXE  VBWIN9X.EXE  VBWINNTW.EXE  VCSETUP.EXE  VET32.EXE  VET95.EXE  VETTRAY.EXE  VFSETUP.EXE  VIR-HELP.EXE  VIRUSMDPERSONALFIREWALL.EXE  VNLAN300.EXE  VNPC3000.EXE  VPC32.EXE  VPC42.EXE  VPFW30S.EXE  VPTRAY.EXE  VSCAN40.EXE  VSCENU6.02D30.EXE  VSCHED.EXE  VSECOMR.EXE  VSHWIN32.EXE  VSISETUP.EXE  VSMAIN.EXE  VSMON.EXE  VSSTAT.EXE  VSWIN9XE.EXE  VSWINNTSE.EXE  VSWINPERSE.EXE  W32DSM89.EXE  W9X.EXE  WATCHDOG.EXE  WEBDAV.EXE  WEBSCANX.EXE  WEBTRAP.EXE  WFINDV32.EXE  WHOSWATCHINGME.EXE  WIMMUN32.EXE  WIN-BUGSFIX.EXE  WIN32.EXE  WIN32US.EXE  WINACTIVE.EXE  WINDOW.EXE  WINDOWS.EXE  WININETD.EXE  WININIT.EXE  WININITX.EXE  WINLOGIN.EXE  WINMAIN.EXE  WINNET.EXE  WINPPR32.EXE  WINRECON.EXE  WINSERVN.EXE  WINSSK32.EXE  WINSTART.EXE  WINSTART001.EXE  WINTSK32.EXE  WINUPDATE.EXE  WKUFIND.EXE  WNAD.EXE  WNT.EXE  WRADMIN.EXE  WRCTRL.EXE  WSBGATE.EXE  WUPDATER.EXE  WUPDT.EXE  WYVERNWORKSFIREWALL.EXE  XPF202EN.EXE  ZAPRO.EXE  ZAPSETUP3001.EXE  ZATUTOR.EXE  ZONALM2601.EXE  ZONEALARM.EXE  _AVP32.EXE  _AVPCC.EXE  _AVPM.EXE  CMD.EXE  TASKMGR.EXE  NEC.EXE   

In addition the worm modifies HOSTS file to block access to the following websites:

www.symantec.com  securityresponse.symantec.com  symantec.com  www.sophos.com  sophos.com  www.mcafee.com  mcafee.com  liveupdate.symantecliveupdate.com  www.viruslist.com  viruslist.com  viruslist.com  f-secure.com  www.f-secure.com  kaspersky.com  kaspersky-labs.com  www.avp.com  www.kaspersky.com  avp.com  www.networkassociates.com  networkassociates.com  www.ca.com  ca.com  mast.mcafee.com  my-etrust.com  www.my-etrust.com  download.mcafee.com  dispatch.mcafee.com  secure.nai.com  nai.com  www.nai.com  update.symantec.com  updates.symantec.com  us.mcafee.com  liveupdate.symantec.com  customer.symantec.com  rads.mcafee.com  trendmicro.com  www.trendmicro.com  www.grisoft.com  www.microsoft.com  microsoft.com  www.msn.com  www.virustotal.com  virustotal.com  www.oxyd.fr  oxyd.fr  www.t35.com  t35.com  www.t35.net  t35.net   

The modified HOSTS file is detected as 'Trojan.Win32.Qhost.cb'.



Detection


F-Secure Anti-Virus detects this worm with the following updates:

Detection Type: PC
Database: 2005-06-06_01



Technical Details:Alexey Podrezov; June 9th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More