Net-Worm.Win32.Mytob.r

Technical Details

This network work infects computers running Windows. The worm itself is a Windows PE EXE file, approximately 63KB in size, packed using UPX. The unpacked file is approximately 164KB in size; however, there are several modifications of this version of Mytob, some of which use different packers. Therefore file sizes may vary.

The worm spreads via the Microsoft Windows LSASS vulnerability, which is described in Microsoft Security Bulletin MS04-011 and the Microsoft Windows DCOM RPC vulnerability, which is described in Microsoft Security Bulletin MS03-026.

The worm also spreads via the Internet as an attachment to infected messages. It sends itself to addresses harvested from the victim machine.

The worm is based on Email-Worm.Win32.Mydoom source code.

It contains a backdoor which receives commands via IRC channels.

Installation

Once launched, the worm copies itself to the Windows system directory as “msnmsgs.exe”

%System%\msnmsgs.exe 

The worm also creates copies of itself in the C:\ root directory under the following names:

C:\funny pic.scr 
C:\photo album.scr 
C:\eminem vs 2pac.scr

The worm then creates a file called “hellmsn.exe” in the C:\ root directory:

C:\hellmsn.scr 

The worm then registers itself in the system registry.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\System\CurrentControlSet\Control\Lsa]
[HKLM\System\CurrentControlSet\Control\Lsa]
[HKCU\Software\Microsoft\OLE]
[HKLM\Software\Microsoft\OLE]
"MSN MESSENGER" = "msnmsgs.exe"

Propagation via the Internet

The worm selects IP addresses to attack and if it detects that the LSASS or DCOM RPC vulnerabilities are unpatched on the potential victim machine, it will launch its code for execution.

Propagation via email

The worm harvests addresses by scanning the Windows address books and files with the extensions listed below:

adb 
asp 
dbx 
htm
php
pl 
sht 
tbb 
wab

It ignores addresses containing the following text strings:

.edu
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
you
your

The worm establishes a direct connection to the recipient's SMTP server to send infected messages.

Infected messages

Sender (includes one of the names listed below):

adam 
alex
andrew 
anna 
bill 
bob 
brenda 
brent 
brian 
britney
bush
claudia 
dan 
dave 
david 
debby 
fred 
george 
helen 
jack 
james 
jane 
jerry 
jim 
jimmy 
joe 
john 
jose 
josh
julie 
kevin 
leo 
linda 
lolita
madmax
maria 
mary 
matt 
michael 
mike 
peter 
ray 
robert 
sam 
sandra
serg 
smith 
stan 
steve 
ted 
tom

Message subject (chosen at random from the list below):

Hello
Mail Delivery System
Mail Transaction Failed
read it immediately
Server Report
thanks!

Message body (chosen at random from the list below):

I have received your document. The corrected document is attached. 
Mail transaction failed. Partial message is available. 
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. 
The message contains Unicode characters and has been sent as a binary attachment. 
The original message was included as an attachments. 

Attachment name (chosen at random from the list below):

body
data
doc
document
file
message
readme
test
text

The attachment may have a single or a double extension, chosen from the list below:

doc
exe
htm
pif
scr
tmp
txt
zip

Remote administration

Net-Worm.Win32.Mytob.r opens TCP port 6667 on the victim machine in order to connect to IRC channels and receive commands. This gives a remote malicious user full access to the victim machine via IRC, making it possible to receive information from the victim machine, download files, launch and delete them.

Other

The worm modifies the "%System%\drivers\etc\hosts" file by appending the following text. This blocks access to the sites listed below:

127.0.0.1   www.symantec.com
127.0.0.1   securityresponse.symantec.com
127.0.0.1   symantec.com
127.0.0.1   www.sophos.com
127.0.0.1   sophos.com
127.0.0.1   www.mcafee.com
127.0.0.1   mcafee.com
127.0.0.1   liveupdate.symantecliveupdate.com
127.0.0.1   www.viruslist.com
127.0.0.1   viruslist.com
127.0.0.1   f-secure.com
127.0.0.1   www.f-secure.com
127.0.0.1   kaspersky.com
127.0.0.1   www.avp.com
127.0.0.1   www.kaspersky.com
127.0.0.1   avp.com
127.0.0.1   www.networkassociates.com
127.0.0.1   networkassociates.com
127.0.0.1   www.ca.com
127.0.0.1   ca.com
127.0.0.1   mast.mcafee.com
127.0.0.1   my-etrust.com
127.0.0.1   www.my-etrust.com
127.0.0.1   download.mcafee.com
127.0.0.1   dispatch.mcafee.com
127.0.0.1   secure.nai.com
127.0.0.1   nai.com
127.0.0.1   www.nai.com
127.0.0.1   update.symantec.com
127.0.0.1   updates.symantec.com
127.0.0.1   us.mcafee.com
127.0.0.1   liveupdate.symantec.com
127.0.0.1   customer.symantec.com
127.0.0.1   rads.mcafee.com
127.0.0.1   trendmicro.com
127.0.0.1   www.microsoft.com
127.0.0.1   www.trendmicro.com