|
| |
|
Malware Description Search |
|
|
| | |
|
|
| |
Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Internet Worms
Net-Worm.Win32.Mytob.u
Other versions: .a, .be, .bi, .bk, .bt, .c, .cf, .ch, .dc, .eg, .r, .t, .v, .w, .x, .y
Net-Worm.Win32.Mytob.u (Kaspersky Lab)
is also known as:
W32/Mydoom.gen@MM (McAfee), W32.Mytob.AG@mm (Symantec), Win32.HLLM.MyDoom.37 (Doctor Web), W32/MyDoom-AJ (Sophos), Win32/Mytob.Q@mm (RAV), WORM_MYDOOM.GEN (Trend Micro), Worm/Zusha.A (H+BEDV), W32/Mytob.AJ@mm (FRISK), Win32.Worm.Mytob.AF (SOFTWIN), Worm.Mytob.AS (ClamAV), W32/Mytob.AA.worm (Panda), Win32/Mytob.Y (Eset)
| Detection added |
Apr 11 2005 |
| Description added |
Jun 27 2005 |
| Behavior |
Net-Worm |
This network worm infects computers running Windows. It propagates via the
LSASS vulnerability, details of which can be found here.
The worm also propagates via the Internet as an attachment to infected emails.
It sends itself to all email addresses harvested from the victim machine.
In terms of functionality, this version is almost identical to Net-Worm.Win32.Mytob.a,
differing from it only in the following ways:
Mytob.u is approximately 45KB in size, packed using UPack. The unpacked file
is approximately 233KB in size.
Instead of creating a file named %System%\msnmsgr.exe, Mytob.u creates a file
named %System%\mathchk.exe
- Also the worm creates the following files in the root of drive C:\
C:\pic.scr
C:\see_this!.pif
C:\my_picture.scr
All these files are copies of the worm.
The worm registers itself in the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
[HKCU\Software\Microsoft\OLE]
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
[HKLM\Software\Microsoft\OLE]
"RealPlayer Ath Check" = "rnathchk.exe"
Mytob.u creates a mutex called "I_FUCK_DEAD_PPL" to tag its presence in the
system.
Net-Worm.Win32.Mytob.u opens a random TCP port on the victim machine in order
to establish a connection to one of the following IRC servers:
spm.slo-partija.info
spm.gobice.net
egwf.wegberobpk.info
This makes it possible for a malicious remote user to have full access to
the system, to receive information harvested from the victim machine, to download,
execute and delete any files via IRC channels.
The worm alters the "%System%\drivers\etc\hosts" file so that users of the
infected machine will be unable to access the following sites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
127.0.0.1 metalhead2005.info
127.0.0.1 irc.blackcarder.net
127.0.0.1 d66.myleftnut.info
| | |
|
