Subscriptions | RSS Feeds | Discussions | Polls | Site Map


All Threats	Viruses	Hackers	Spam

Whole site

Viruses

If Your Computer Is Infected

Malware Description Search

Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Internet Worms

Net-Worm.Win32.Mytob.w

Other versions: .a, .be, .bi, .bk, .bt, .c, .cf, .ch, .dc, .eg, .r, .t, .u, .v, .x, .y

Aliases
Net-Worm.Win32.Mytob.w (Kaspersky Lab) is also known as: W32/Mydoom.gen@MM (McAfee), W32.Mytob.AG@mm (Symantec), Win32.HLLM.MyDoom.34 (Doctor Web), W32/Mytob-Y (Sophos), Win32/Mytob.Z@mm (RAV), WORM_MYDOOM.GEN (Trend Micro), Worm/Zusha.A (H+BEDV), W32/Mytob.AN@mm (FRISK), Win32.Worm.Mytob.W (SOFTWIN), Worm.Mytob.H-3 (ClamAV), W32/Mytob.AE.worm (Panda), Win32/Mytob.AF (Eset)

Detection added Apr 09 2005 23:12 GMT

Description added Jan 12 2006

Behavior Net-Worm

Technical details

This network worm infects computers running under Windows. The worm itself is a PE EXE file written in C++. The packed file is 49281 bytes in size, and the unpacked file is approximately 240KB in size.

The worm spreads via the LSASS vulnerability, detailed in Microsoft Security Bulletin MS04-011.

The virus also spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim computer.

The worm contains a backdoor which receives commands via IRC channels.

Installation

Once launched, the worm copies itself to the Windows sytem directory as XpFirewall.exe:

%System%\XpFirewall.exe

The worm also creates copies of itself in the C: root directory with the following names:

C:\funny_pic.scr
C:\my_photo2005.scr
C:\see_this!!.scr

The worm then registers itself in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
[HKCU\Software\Microsoft\OLE]
[HKLM\Software\Microsoft\OLE]
 "Windows Service XP"="XpFirewall.exe"

The worm also creates a file named hellmsn.exe (which is approximately 6KB in size) in the C: root directory. This file will be detected by Kaspersky Anti-Virus as Net-Worm.Win32.Mytob.f.

Propagation via the Internet

The worm selects IP addresses to attack. If it detects the LSASS or DCOM RPC vulnerability on the potential victim machine, it launches itself on this machine.

Propagation via email

The worm harvests addresses from the MS Windows address books and from files with the following extensions:

adb
asp
dbx
htm
php
pl
sht
tbb
wab

The worm does not harvests addresses which contain the following text strings:

.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
fcnz
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
secur
sendmail
service
site
soft
somebody
someone
sopho
spm
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
www
you
your

When sending infected emails the worm establishes a direct connection to the recipient's SMTP server.

Infected messages

Sender (includes one of the following names):

adam
alex
andrew
anna
bill
bob
bob
brenda
brent
brian
britney
bush
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
lolita
madmax
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

Message subject (chosen at random from the list below)

<blank field>
Error
Good day
Hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status

Message body (chosen at random from the list below):

Mail transaction failed. Partial message is available.
The original message was included as an attachments.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Here are your banks documents.

Attachment name (chosen at random from the list below)

body
data
doc
document
file
message
readme
test
text

The attachment may have a single or a double extension, chosen from the list below:

Remote administration

Net-Worm.Win32.Mytob.w opens TCP port on the victim machine to receive commands via IRC channels. This means that a remote malicious user has full access to the victim machine via IRC, making it possible to access information, download, launch and delete files.

Other

The worm modifies the %System%\drivers\etc\hosts files by adding the text below. This means that the sites listed cannot be accessed from the victim machine.

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

Email: webmaster@viruslist.com

All Threats