Mytob.do

Threat description

Details

Summary

The Mytob.do is a typical variant of Mytob. It combines the functionality of IRC bot and mass-mailing worm.

Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Installation to system

When run, the worm copies itself as 'dbg32.exe' to Windows System folder and creates the following registry startup keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Debugger" = "dbg32.exe"
 

The worm also modifies the following key value:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = dword:00000004
 

The worm drops and executes a file named 'syst.exe' to Windows System folder. This file is a trojan downloader detected as 'Trojan-Downloader.Win32.Monurl.gen'.

Spreading in e-mails

To get the victims' e-mail addresses the worm reads user's Address Book and also scans files with the following extensions on all hard disks and RAM drives:

txt
htm
sht
jsp
cgi
xml
php
asp
dbx
tbb
adb
wab
 

The worm ignores e-mail addresses with any of the following substrings:

abuse
accoun
acketst
admin
anyone
arin.
avp
be_loyal:
berkeley
borlan
bsd
bugs
certific
example
fcnz
fido
foo.
fsf.
gnu
google
.gov
gov.
hotmail
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
.mil
mit.e
mozilla
msn.
mydomai
nobody
nodomai
noone
nothing
ntivi
panda
pgp
postmaster
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
site
someone
sopho
spm
support
syma
tanford.e
unix
usenet
utgers.ed
webmaster
www
you
your
contact
soft
somebody
privacy
service
help
not
submit
feste
gold-certs
the.bat
page
support
administrator
mail
service
admin
info
register
webmaster
 

The worm sends e-mail messages with different subjects. Here's the list of subject texts that the worm uses:

Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
 

The body text of the e-mail messages is one of the following:

Dear user , You have successfully updated the password of your  account. If you did not authorize this change or if you need assistance with your  account, please contact  customer service at:  Thank you for using !  The  Support Team   +++ Attachment: No Virus (Clean)     +++  Antivirus - www.  Dear user , It has come to our attention that your  User Profile ( x ) records are  out of date. For further details see the attached document.  Thank you for using !  The  Support Team  +++ Attachment: No Virus (Clean)    +++  Antivirus - www.  Dear  Member,  We have temporarily suspended your email account .  This might be due to either of the following reasons:  1. A recent change in your personal information (i.e. change of address).  2. Submiting invalid information during the initial sign up process.  3. An innability to accurately verify your selected option of subscription due  to an internal error within our processors.  See the details to reactivate your  account.  Sincerely,The  Support Team  +++ Attachment: No Virus (Clean)    +++  Antivirus - www.  Dear  Member,  Your e-mail account was used to send a huge amount of unsolicited spam messages  during the recent week. If you could please take 5-10 minutes out of your  online experience and confirm the attached document so you will not run into  any future problems with the online service.  If you choose to ignore our request, you leave us no choice but to cancel your  membership.  Virtually yours,  The  Support Team  +++ Attachment: No Virus found    +++  Antivirus - www.   

Where <user> is the username and <domain> is the domain part of the e-mail recipient.

The attachement filename is usually a ZIP file with one of following names:

Dear user , You have successfully updated the password of your
account. If you did not authorize this change or if you need assistance with your
account, please contact
customer service at:
Thank you for using !
The
Support Team
 +++ Attachment: No Virus (Clean)

 +++
Antivirus - www.
Dear user , It has come to our attention that your
User Profile ( x ) records are
out of date. For further details see the attached document.
Thank you for using !
The
Support Team
+++ Attachment: No Virus (Clean)

+++
Antivirus - www.
Dear
Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due
to an internal error within our processors.
See the details to reactivate your
account.
Sincerely,The
Support Team
+++ Attachment: No Virus (Clean)

+++
Antivirus - www.
Dear
Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes out of your
online experience and confirm the attached document so you will not run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your
membership.
Virtually yours,
The
Support Team
+++ Attachment: No Virus found

+++
Antivirus - www.
 

The attached filename consists of one of the above keywords followed by extension 'doc', 'htm' or 'txt', a random amount of space characters and the final extension that can be one the following:

Dear user , You have successfully updated the password of your
account. If you did not authorize this change or if you need assistance with your
account, please contact
customer service at:
Thank you for using !
The
Support Team
 +++ Attachment: No Virus (Clean)

 +++
Antivirus - www.
Dear user , It has come to our attention that your
User Profile ( x ) records are
out of date. For further details see the attached document.
Thank you for using !
The
Support Team
+++ Attachment: No Virus (Clean)

+++
Antivirus - www.
Dear
Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due
to an internal error within our processors.
See the details to reactivate your
account.
Sincerely,The
Support Team
+++ Attachment: No Virus (Clean)

+++
Antivirus - www.
Dear
Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes out of your
online experience and confirm the attached document so you will not run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your
membership.
Virtually yours,
The
Support Team
+++ Attachment: No Virus found

+++
Antivirus - www.
 

For example, the filename can be 'account-report.txt<multiple spaces>.scr'.

IRC-controlled Backdoor

When the worm is active it tries to connect to the following IRC server and channel:

Dear user , You have successfully updated the password of your
account. If you did not authorize this change or if you need assistance with your
account, please contact
customer service at:
Thank you for using !
The
Support Team
 +++ Attachment: No Virus (Clean)

 +++
Antivirus - www.
Dear user , It has come to our attention that your
User Profile ( x ) records are
out of date. For further details see the attached document.
Thank you for using !
The
Support Team
+++ Attachment: No Virus (Clean)

+++
Antivirus - www.
Dear
Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due
to an internal error within our processors.
See the details to reactivate your
account.
Sincerely,The
Support Team
+++ Attachment: No Virus (Clean)

+++
Antivirus - www.
Dear
Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes out of your
online experience and confirm the attached document so you will not run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your
membership.
Virtually yours,
The
Support Team
+++ Attachment: No Virus found

+++
Antivirus - www.
 

If the connection is successful, the worm creates a bot in that channel. A hacker can send commands to a bot in order to control an infected computer. A hacker can do any of the following:

  • change IRC server
  • change channel mode
  • join specified channel
  • change bot's nick (randomly generated)
  • kick a user out of a channel
  • ping a user/server
  • set channel topic
  • exit from a channel
  • quit from IRC
  • get information about an infected system
  • download and run a file (update worm's file)
  • remove worm from a computer
  • send raw command
  • start mass-mailing
  • stop mass-mailing
Detection

F-Secure Anti-Virus detects this worm with the following updates:

Detection Type: PC

Database: 2005-11-24_04

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info