Net-Worm.Win32.Mytob.y

Technical Details

This network worm infects computers running under Windows. The worm itself is a PE EXE file written in Visual C++.

The file may be packed with a range of packers. This means that the size of the packed file may vary. The packed file is approximately 55KB or larger, and the unpacked file is 200KB or more in size.

The worm propagates via the LSASS vulnerability detailed in Microsoft Security Bulletin MS04-011.

The worm also spreads via the Internet as an attachment to infected emails. It sends itself to email addresses harvested from the victim computer.

The worm contains a backdoor component which receives commands via IRC channels.

Installation

Once launched, the worm copies itself to the Windows system directory as msmgrxp.exe:

%System%\msmgrxp.exe

The worm also creates copies itself in the C: root directory under the following names:

C:\funny_pic.scr
C:\my_photo2005.scr
C:\see_this!!.scr

The worm then registers itself in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
[HKCU\Software\Microsoft\OLE]
[HKLM\Software\Microsoft\OLE]
 "WINTASK"="msmgrxp.exe"

The worm also creates a file named hellmsn.exe (approximately 6KB in size) in the C: root directory. This file will be detected by Kaspersky Anti-Virus as Net-Worm.Win32.Mytob.f.

Propagation via the Internet

The worm selects IP addresses to attack. If it detects the LSASS vulnerability on a potential victim machine, it will launch its code on this machine.

Propagation via email

The worm harvests addresses from the MS Windows address books and from files with the following extensions:

adb
asp
dbx
htm
php
pl
sht
tbb
wab

It ignores addresses which contain the following strings:

.edu
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
fcnz
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
spm
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
www
you
your

The worm establishes a direct connect to the recipient's SMTP server in order to send infected messages.

Infected messages

Sender (includes one of the following names):

• adam
• alex
• andrew
• anna
• bill
• bob
• brenda
• brent
• brian
• britney
• bush
• claudia
• dan
• dave
• david
• debby
• fred
• george
• helen
• jack
• james
• jane
• jerry
• jim
• jimmy
• joe
• john
• jose
• julie
• kevin
• leo
• linda
• lolita
• madmax
• maria
• mary
• matt
• michael
• mike
• peter
• ray
• robert
• sam
• sandra
• serg
• smith
• stan
• steve
• ted
• tom

Message subject (chosen from the list below):

• Error
• Good day
• Hello
• Mail Delivery System
• Mail Transaction Failed
• Server Report
• Status

Message body (chosen from the list below):

• Here are your banks documents.
• Mail transaction failed. Partial message is available.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• The original message was included as an attachments.

Attachment name (chosen from the list below):

• body
• data
• doc
• document
• file
• message
• readme
• test
• text

The attachment may have a single or a double extension chosen from the list below:

• bat
• cmd
• doc
• exe
• htm
• pif
• scr
• tmp
• txt
• zip

Remote administration

Net-Worm.Win32.Mytob.y opens TCP port 6667 on the victim machine in order to receive commands via IRC channels. This gives a remote malicious user full access to the victim machine, and the ability to access information, download, launch and delete files.

Other

The worm modifies the %System%\drivers\etc\hosts file by adding the text listed below. This means that a user will not be able to use the victim machine to view these sites.

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com