Subscriptions | RSS Feeds | Discussions | Polls | Site Map


All Threats	Viruses	Hackers	Spam

Whole site

Viruses

If Your Computer Is Infected

Malware Description Search

Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Internet Worms

Net-Worm.Win32.Mytob.y

Other versions: .a, .be, .bi, .bk, .bt, .c, .cf, .ch, .dc, .eg, .r, .t, .u, .v, .w, .x

Aliases
Net-Worm.Win32.Mytob.y (Kaspersky Lab) is also known as: Exploit-Lsass.g.gen (McAfee), W32.Mytob.AK@mm (Symantec), Win32.HLLM.MyDoom.33 (Doctor Web), W32/Mytob-Z (Sophos), Win32/Mytob.AE@mm (RAV), WORM_MYTOB.AK (Trend Micro), Worm/Mytob.AJ (H+BEDV), W32/Mytob.AV@mm (FRISK), I-Worm/Mytob.AG (Grisoft), Win32.Worm.Mytob.H (SOFTWIN), Worm.Mytob.H-3 (ClamAV), W32/Mytob.AJ.worm (Panda), Win32/Mytob.AA (Eset)

Detection added Apr 09 2005 23:12 GMT

Description added Jan 24 2006

Behavior Net-Worm

Technical details

This network worm infects computers running under Windows. The worm itself is a PE EXE file written in Visual C++.

The file may be packed with a range of packers. This means that the size of the packed file may vary. The packed file is approximately 55KB or larger, and the unpacked file is 200KB or more in size.

The worm propagates via the LSASS vulnerability detailed in Microsoft Security Bulletin MS04-011.

The worm also spreads via the Internet as an attachment to infected emails. It sends itself to email addresses harvested from the victim computer.

The worm contains a backdoor component which receives commands via IRC channels.

Installation

Once launched, the worm copies itself to the Windows system directory as msmgrxp.exe:

%System%\msmgrxp.exe

The worm also creates copies itself in the C: root directory under the following names:

C:\funny_pic.scr
C:\my_photo2005.scr
C:\see_this!!.scr

The worm then registers itself in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
[HKCU\Software\Microsoft\OLE]
[HKLM\Software\Microsoft\OLE]
 "WINTASK"="msmgrxp.exe"

The worm also creates a file named hellmsn.exe (approximately 6KB in size) in the C: root directory. This file will be detected by Kaspersky Anti-Virus as Net-Worm.Win32.Mytob.f.

Propagation via the Internet

The worm selects IP addresses to attack. If it detects the LSASS vulnerability on a potential victim machine, it will launch its code on this machine.

Propagation via email

The worm harvests addresses from the MS Windows address books and from files with the following extensions:

adb
asp
dbx
htm
php
pl
sht
tbb
wab

It ignores addresses which contain the following strings:

.edu
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
fcnz
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
spm
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
www
you
your

The worm establishes a direct connect to the recipient's SMTP server in order to send infected messages.

Infected messages

Sender (includes one of the following names):

adam
alex
andrew
anna
bill
bob
brenda
brent
brian
britney
bush
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
lolita
madmax
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

Message subject (chosen from the list below):

Error
Good day
Hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status

Message body (chosen from the list below):

Here are your banks documents.
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
The original message was included as an attachments.

Attachment name (chosen from the list below):

body
data
doc
document
file
message
readme
test
text

The attachment may have a single or a double extension chosen from the list below:

Remote administration

Net-Worm.Win32.Mytob.y opens TCP port 6667 on the victim machine in order to receive commands via IRC channels. This gives a remote malicious user full access to the victim machine, and the ability to access information, download, launch and delete files.

Other

The worm modifies the %System%\drivers\etc\hosts file by adding the text listed below. This means that a user will not be able to use the victim machine to view these sites.

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

Email: webmaster@viruslist.com

All Threats