Home > Threat descriptions >

Mytob.do

Classification

Category: Malware

Type: -

Aliases: Mytob.do, Net-Worm.Win32.Mytob.do

Summary


The Mytob.do is a typical variant of Mytob. It combines the functionality of IRC bot and mass-mailing worm.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Installation to system

When run, the worm copies itself as 'dbg32.exe' to Windows System folder and creates the following registry startup keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Debugger" = "dbg32.exe"
 

The worm also modifies the following key value:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = dword:00000004
 

The worm drops and executes a file named 'syst.exe' to Windows System folder. This file is a trojan downloader detected as 'Trojan-Downloader.Win32.Monurl.gen'.

Spreading in emails

To get the victims' email addresses the worm reads user's Address Book and also scans files with the following extensions on all hard disks and RAM drives:

txt
htm
sht
jsp
cgi
xml
php
asp
dbx
tbb
adb
wab
 

The worm ignores email addresses with any of the following substrings:

abuse
accoun
acketst
admin
anyone
arin.
avp
be_loyal:
berkeley
borlan
bsd
bugs
certific
example
fcnz
fido
foo.
fsf.
gnu
google
.gov
gov.
hotmail
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
.mil
mit.e
mozilla
msn.
mydomai
nobody
nodomai
noone
nothing
ntivi
panda
pgp
postmaster
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
site
someone
sopho
spm
support
syma
tanford.e
unix
usenet
utgers.ed
webmaster
www
you
your
contact
soft
somebody
privacy
service
help
not
submit
feste
gold-certs
the.bat
page
support
administrator
mail
service
admin
info
register
webmaster
 

The worm sends email messages with different subjects. Here's the list of subject texts that the worm uses:

Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
 

The body text of the email messages is one of the following:

Dear user , You have successfully updated the password of your  account. If you did not authorize this change or if you need assistance with your  account, please contact  customer service at:  Thank you for using !  The  Support Team   +++ Attachment: No Virus (Clean)     +++  Antivirus - www.  Dear user , It has come to our attention that your  User Profile ( x ) records are  out of date. For further details see the attached document.  Thank you for using !  The  Support Team  +++ Attachment: No Virus (Clean)    +++  Antivirus - www.  Dear  Member,  We have temporarily suspended your email account .  This might be due to either of the following reasons:  1. A recent change in your personal information (i.e. change of address).  2. Submiting invalid information during the initial sign up process.  3. An innability to accurately verify your selected option of subscription due  to an internal error within our processors.  See the details to reactivate your  account.  Sincerely,The  Support Team  +++ Attachment: No Virus (Clean)    +++  Antivirus - www.  Dear  Member,  Your email account was used to send a huge amount of unsolicited spam messages  during the recent week. If you could please take 5-10 minutes out of your  online experience and confirm the attached document so you will not run into  any future problems with the online service.  If you choose to ignore our request, you leave us no choice but to cancel your  membership.  Virtually yours,  The  Support Team  +++ Attachment: No Virus found    +++  Antivirus - www.   

Where <user> is the username and <domain> is the domain part of the email recipient.

The attachement filename is usually a ZIP file with one of following names:

Dear user , You have successfully updated the password of your
account. If you did not authorize this change or if you need assistance with your
account, please contact
customer service at:
Thank you for using !
The
Support Team
 +++ Attachment: No Virus (Clean)

 +++
Antivirus - www.
Dear user , It has come to our attention that your
User Profile ( x ) records are
out of date. For further details see the attached document.
Thank you for using !
The
Support Team
+++ Attachment: No Virus (Clean)

+++
Antivirus - www.
Dear
Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due
to an internal error within our processors.
See the details to reactivate your
account.
Sincerely,The
Support Team
+++ Attachment: No Virus (Clean)

+++
Antivirus - www.
Dear
Member,
Your email account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes out of your
online experience and confirm the attached document so you will not run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your
membership.
Virtually yours,
The
Support Team
+++ Attachment: No Virus found

+++
Antivirus - www.
 

The attached filename consists of one of the above keywords followed by extension 'doc', 'htm' or 'txt', a random amount of space characters and the final extension that can be one the following:

Dear user , You have successfully updated the password of your
account. If you did not authorize this change or if you need assistance with your
account, please contact
customer service at:
Thank you for using !
The
Support Team
 +++ Attachment: No Virus (Clean)

 +++
Antivirus - www.
Dear user , It has come to our attention that your
User Profile ( x ) records are
out of date. For further details see the attached document.
Thank you for using !
The
Support Team
+++ Attachment: No Virus (Clean)

+++
Antivirus - www.
Dear
Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due
to an internal error within our processors.
See the details to reactivate your
account.
Sincerely,The
Support Team
+++ Attachment: No Virus (Clean)

+++
Antivirus - www.
Dear
Member,
Your email account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes out of your
online experience and confirm the attached document so you will not run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your
membership.
Virtually yours,
The
Support Team
+++ Attachment: No Virus found

+++
Antivirus - www.
 

For example, the filename can be 'account-report.txt<multiple spaces>.scr'.

IRC-controlled Backdoor

When the worm is active it tries to connect to the following IRC server and channel:

Dear user , You have successfully updated the password of your
account. If you did not authorize this change or if you need assistance with your
account, please contact
customer service at:
Thank you for using !
The
Support Team
 +++ Attachment: No Virus (Clean)

 +++
Antivirus - www.
Dear user , It has come to our attention that your
User Profile ( x ) records are
out of date. For further details see the attached document.
Thank you for using !
The
Support Team
+++ Attachment: No Virus (Clean)

+++
Antivirus - www.
Dear
Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due
to an internal error within our processors.
See the details to reactivate your
account.
Sincerely,The
Support Team
+++ Attachment: No Virus (Clean)

+++
Antivirus - www.
Dear
Member,
Your email account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes out of your
online experience and confirm the attached document so you will not run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your
membership.
Virtually yours,
The
Support Team
+++ Attachment: No Virus found

+++
Antivirus - www.
 

If the connection is successful, the worm creates a bot in that channel. A hacker can send commands to a bot in order to control an infected computer. A hacker can do any of the following:

  • change IRC server
  • change channel mode
  • join specified channel
  • change bot's nick (randomly generated)
  • kick a user out of a channel
  • ping a user/server
  • set channel topic
  • exit from a channel
  • quit from IRC
  • get information about an infected system
  • download and run a file (update worm's file)
  • remove worm from a computer
  • send raw command
  • start mass-mailing
  • stop mass-mailing