Net-Worm.Win32.Mytob.t

Technical Details

This network worm infects computers running Windows. The worm itself is a Windows PE EXE file, written in Visual C++. The file may be packed with one of a range of packers, and the size of the infected file may therefore vary. The packed file is approximately 47KB or greater in size, and the unpacked file is approximately 150KB to 260KB in size.

The virus propagates via the LSASS vulnerability detailed in Microsoft Security Bulletin MS04-011 and the RPC DCOM vulnerability detailed in Microsoft Security Bulletin MS03-026.

The worm also spreads via the Internet as an attachment to infected messages. It is sent to email addresses harvested from the victim machine.

The worm contains a backdoor which receives commands via IRC channels.

Installation

Once launched, the worm copies itself to the Windows system directory as "taskgmr32.exe":

%System%\taskgmr32.exe

It also creates copies of itself in the C:\ root directory under the following names:

C:\funny_pic.scr 
C:\my_photo2005.scr 
C:\see_this!!.scr

The worm then registers itself in the system registry, ensuring that a copy of the worm is launched each time Windows is rebooted on the victim machine:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
[HKCU\Software\Microsoft\OLE]
[HKLM\Software\Microsoft\OLE]
"WINRUN" = "taskgmr32.exe"

The worm also creates a file in the C:\ root directory. This file is called "hellmsn.exe" which is approximately 6KB in size. This file will be detected by Kaspersky Anti-Virus as Net-Worm.Win32.Mytob.f.

The worm creates a unique identifier, "H-E-L-L-B-O-T", to flag its presence in the system.

Propagation via the Internet

The worm selects IP addresses to attack. If it detects that the remote machine has an unpatched LSASS or DCOM RPC vulnerability, it will launch itself on the remote machine.

Propagation via email

The worm harvests email addresses from the Windows address books and from files with the following extensions:

adb 
asp 
dbx 
htm
php
pl 
sht 
tbb 
wab

The worm does not harvest addresses which contain the following text strings:

.edu
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
you
your

The worm attempts to establish a direct connection to SMTP servers in order to send infected mails.

Infected messages

Sender (name chosen from the list below):

adam 
alex
andrew 
anna 
bill 
bob 
brenda 
brent 
brian 
britney
bush
claudia 
dan 
dave 
david 
debby 
fred 
george 
helen 
jack 
james 
jane 
jerry 
jim 
jimmy 
joe 
john 
jose 
julie 
kevin 
leo 
linda 
lolita
madmax
maria 
mary 
matt 
michael 
mike 
peter 
ray 
robert 
sam 
sandra
serg 
smith 
stan 
steve 
ted 
tom

Message subject (chosen at random from the list below):

<empty>      
Error   
Good day        
Hello   
Mail Delivery System    
Mail Transaction Failed 
read it immediately     
Server Report   
Status  
thanks!

Message body (chosen at random from the list below):

Mail transaction failed. Partial message is available. 
The original message was included as an attachments. 
The message contains Unicode characters and has been sent as a binary attachment. 
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. 
Here are your banks documents. 

Attachment name (chosen at random from the list below):

body
data
doc
document
file
message
readme
test
text

Attachments may have a single or double attachment, chosen from the list below:

bat
cmd
com
doc
exe
htm
tmp
txt
zip

Remote administration

Net-Worm.Win32.Mytob.t opens TCP port 6667 on the victim machine in order to connect to IRC channels and receive commands. This provides a remote malicious user with full access to the victim machine via IRC channels, meaning that the remote malicious user can access information on the infected machine, upload files, launch and delete them.

Other

The worm modifies the "%System%\drivers\etc\hosts" files by appending the text below. This prevents the user from accessing the sites listed.

127.0.0.1       www.symantec.com
127.0.0.1       securityresponse.symantec.com
127.0.0.1       symantec.com
127.0.0.1       www.sophos.com
127.0.0.1       sophos.com
127.0.0.1       www.mcafee.com
127.0.0.1       mcafee.com
127.0.0.1       liveupdate.symantecliveupdate.com
127.0.0.1       www.viruslist.com
127.0.0.1       viruslist.com
127.0.0.1       viruslist.com
127.0.0.1       f-secure.com
127.0.0.1       www.f-secure.com
127.0.0.1       kaspersky.com
127.0.0.1       www.avp.com
127.0.0.1       www.kaspersky.com
127.0.0.1       avp.com
127.0.0.1       www.networkassociates.com
127.0.0.1       networkassociates.com
127.0.0.1       www.ca.com
127.0.0.1       ca.com
127.0.0.1       mast.mcafee.com
127.0.0.1       my-etrust.com
127.0.0.1       www.my-etrust.com
127.0.0.1       download.mcafee.com
127.0.0.1       dispatch.mcafee.com
127.0.0.1       secure.nai.com
127.0.0.1       nai.com
127.0.0.1       www.nai.com
127.0.0.1       update.symantec.com
127.0.0.1       updates.symantec.com
127.0.0.1       us.mcafee.com
127.0.0.1       liveupdate.symantec.com
127.0.0.1       customer.symantec.com
127.0.0.1       rads.mcafee.com
127.0.0.1       trendmicro.com
127.0.0.1       www.microsoft.com
127.0.0.1       www.trendmicro.com