Net-Worm.Win32.Mytob.w

Technical Details

This network worm infects computers running under Windows. The worm itself is a PE EXE file written in C++. The packed file is 49281 bytes in size, and the unpacked file is approximately 240KB in size.

The worm spreads via the LSASS vulnerability, detailed in Microsoft Security Bulletin MS04-011.

The virus also spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim computer.

The worm contains a backdoor which receives commands via IRC channels.

Installation

Once launched, the worm copies itself to the Windows sytem directory as XpFirewall.exe:

%System%\XpFirewall.exe

The worm also creates copies of itself in the C: root directory with the following names:

C:\funny_pic.scr
C:\my_photo2005.scr
C:\see_this!!.scr

The worm then registers itself in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
[HKCU\Software\Microsoft\OLE]
[HKLM\Software\Microsoft\OLE]
 "Windows Service XP"="XpFirewall.exe"

The worm also creates a file named hellmsn.exe (which is approximately 6KB in size) in the C: root directory. This file will be detected by Kaspersky Anti-Virus as Net-Worm.Win32.Mytob.f.

Propagation via the Internet

The worm selects IP addresses to attack. If it detects the LSASS or DCOM RPC vulnerability on the potential victim machine, it launches itself on this machine.

Propagation via email

The worm harvests addresses from the MS Windows address books and from files with the following extensions:

adb
asp
dbx
htm
php
pl
sht
tbb
wab

The worm does not harvests addresses which contain the following text strings:

.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
fcnz
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
secur
sendmail
service
site
soft
somebody
someone
sopho
spm
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
www
you
your

When sending infected emails the worm establishes a direct connection to the recipient's SMTP server.

Infected messages

Sender (includes one of the following names):

• adam
• alex
• andrew
• anna
• bill
• bob
• bob
• brenda
• brent
• brian
• britney
• bush
• claudia
• dan
• dave
• david
• debby
• fred
• george
• helen
• jack
• james
• jane
• jerry
• jim
• jimmy
• joe
• john
• jose
• julie
• kevin
• leo
• linda
• lolita
• madmax
• maria
• mary
• matt
• michael
• mike
• peter
• ray
• robert
• sam
• sandra
• serg
• smith
• stan
• steve
• ted
• tom

Message subject (chosen at random from the list below)

• <blank field>
• Error
• Good day
• Hello
• Mail Delivery System
• Mail Transaction Failed
• Server Report
• Status

Message body (chosen at random from the list below):

• Mail transaction failed. Partial message is available.
• The original message was included as an attachments.
• The message contains Unicode characters and has been sent as a binary attachment.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• Here are your banks documents.

Attachment name (chosen at random from the list below)

• body
• data
• doc
• document
• file
• message
• readme
• test
• text

The attachment may have a single or a double extension, chosen from the list below:

• bat
• cmd
• doc
• exe
• htm
• pif
• scr
• tmp
• txt
• zip

Remote administration

Net-Worm.Win32.Mytob.w opens TCP port on the victim machine to receive commands via IRC channels. This means that a remote malicious user has full access to the victim machine via IRC, making it possible to access information, download, launch and delete files.

Other

The worm modifies the %System%\drivers\etc\hosts files by adding the text below. This means that the sites listed cannot be accessed from the victim machine.

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com