Aliases

Net-Worm.Win32.Mytob.v (Kaspersky Lab) is also known as: W32/Mydoom.gen@MM (McAfee),   W32.Mytob.AN@mm (Symantec),   Win32.HLLM.MyDoom.32 (Doctor Web),   W32/Mytob-AA (Sophos),   Win32/Mytob.X@mm (RAV),   WORM_MYDOOM.GEN (Trend Micro),   Worm/Mytob.BF (H+BEDV),   W32/Mytob.AM@mm (FRISK),   I-Worm/Mytob.AC (Grisoft),   Win32.Worm.Mytob.V (SOFTWIN),   Worm.Mytob.H-3 (ClamAV),   W32/Mytob.AE.worm (Panda),   Win32/Mytob.AI (Eset)

Detection added	Apr 08 2005 12:27 GMT
Description added	Feb 17 2006
Behavior	Net-Worm

Technical details

This network worm infects computers running Windows. The worm itself is a Windows PE EXE file, written in Visual C++.

The file may be packed with one of a range of packers; due to this, the size of infected files may vary. Packed files are generally 55KB or larger in size, and unpacked files are approximately 290KB or larger in size.

The worm propagates via the Microsoft Windows LSASS vulnerability, detailed in Microsoft Security Bulletin MS04-011.

The worm also propagates via the Internet as an attachment to infected emails. It sends itself to email addresses harvested from the victim computer.

The worm includes a backdoor, which receives commands via IRC channels.

Installation

Once launched, the worm copies itself to the Windows system directory as taskgmgr.exe:

%System%\taskgmgr.exe

The worm also creats copies of itself in the C:\ root directory under the following names:

C:\funny_pic.scr
C:\my_photo2005.scr
C:\see_this!!.scr

The worm registers itself in the system registry:

[HKCU\Software\Microsoft\OLE]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
[HKLM\Software\Microsoft\OLE]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
 "WINMGR"="taskgmgr.exe"

The worm also creates a file approximately 6KB in size, called hellmsn.exe, in the C:\ root directory. This file will be detected by Kaspersky Anti-Virus as Net-Worm.Win32.Mytob.f.

The worm creates a unique identifier, "H-E-L-L-B-O-T" to flag its presence in the system.

Propagation via the Internet

The worm selects IP addresses to attack. If it detects the unpatched LSASS vulnerability on a potential victim system, it will launch its code for execution on this machine.

Propagation via email

The worm harvests addresses from the MS Windows address books and also from files with the following extensions:

adb
asp
dbx
htm
php
pl
sht
tbb
wab

The worm does not harvest addresses which contain the following strings:

.edu
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
fcnz
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
spm
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
www
you
your

When sending infected messages, the worm establishes a direct connection to the recipient's SMTP server.

Infected messages

Sender (includes one of the names listed below):

• adam
• alex
• andrew
• anna
• bill
• bob
• brenda
• brent
• brian
• britney
• bush
• claudia
• dan
• dave
• david
• debby
• fred
• george
• helen
• jack
• james
• jane
• jerry
• jim
• jimmy
• joe
• john
• jose
• julie
• kevin
• leo
• linda
• lolita
• madmax
• maria
• mary
• matt
• michael
• mike
• peter
• ray
• robert
• sam
• sandra
• serg
• smith
• stan
• steve
• ted
• tom

Message subject (chosen from the list below)

• Error
• Good day
• Hello
• Mail Delivery System
• Mail Transaction Failed
• Server Report
• Status

Message body (chosen from the list below)

• Here are your banks documents.
• Mail transaction failed. Partial message is available.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• The original message was included as an attachments.

Attachment name (chosen from the list below)

• body
• data
• doc
• document
• file
• message
• readme
• test
• text

The attachment may have a single or double extension, chosen from the list below:

• bat
• cmd
• doc
• exe
• htm
• pif
• scr
• tmp
• txt
• zip

Remote administration

The worm opens a random TCP port on the victim machine in order to connect to the h3ll.m1rr0r.net or the h3llz.m1rr0r.net IRC server to receive commands. This provides a remote malicious user with full access to the victim machine via IRC, making it possible to access information on the infected system, download, launch and delete files.

Other

The worm modifies the %System%\drivers\etc\hosts file by appending the text below. This makes it impossible to access the sites listed below from the infected computer.

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com