Home / malware Win32.Worm.Mytob.C
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Mytob.C is also known as Mydoom.
Explanation :
This worm spreads by email and exploiting the LSASS vulnerability; it includes an IRC backdoor. The program was compiled with Visual C++ and packed with UPack; sections of the mass-mailing code are similar to those found in the Mydoom series.
It arrives in an email in the following format:
From: (forged address)
Subject: one of the following: "test", "hi", "hello", no subject, "Status", "Error", "Server Report", "Status", "Mail Transaction Failed", "Mail Delivery System" or 3 to 17 random letters; sometimes the first letter of the subject is capitalized; sometimes the entire subject line is written in uppercase.
Body: one of the following:
- "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.";
- "The message contains Unicode characters and has been sent as a binary attachment.";
- 512 to 2559 random characters (in lines of approx. 70 characters);
- no text;
- "Mail transaction failed. Partial message is available.";
- "test".
Attachment: the virus is attached to the email:
- as an executable file (named: { "document", "message", "body", "readme", "doc", "text", "file", "data", 3 to 7 random letters or "test" }.{ "pif", "scr", "exe", "cmd" or "bat" });
or:
- as a ZIP file containing an executable named { "document", "message", "body", "readme", "doc", "text", "file", "data", 3 to 7 random letters or "test" }.{ "htm", "txt" or "doc"}..{"pif", "scr" or "exe"} or as above.
When the naive user opens the executable file in the attachment, the virus starts doing its evil work. First it tries to create a mutex object called "G68"; if the mutex object already existed, the virus stops at this point; this prevents multiple instances from running at the same time. The virus copies itself to the system folder as "wfdmgr.exe" and resumes execution from that location.
The following registry entries are created in order for the virus to be run at every Windows start-up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LSA = "wfdmgr.exe", HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\LSA = "wfdmgr.exe", HKCU\Software\Microsoft\Windows\CurrentVersion\Run\LSA = "wfdmgr.exe". Some other registry entries are also created: HKCU\Software\Microsoft\OLE\LSA, HKCU\SYSTEM\CurrentControlSet\Control\LSA, HKLM\Software\Microsoft\OLE\LSA, HKLM\SYSTEM\CurrentControlSet\Control\LSA.
A limited FTP server is bound to a random port in the range 1000-65535; for any "retrieve file" request, a copy of the virus is supplied; this FTP server will be used later to transfer the virus to successfully exploited computers.
The virus connects to an IRC server 18.xxor.biz:13000, joins the channel "#m-rl1" and waits for private messages containing commands: authenticate, report version/uptime, leave server, restart virus, download a file (from an HTTP URL), download and execute a file, uninstall virus, update virus. (In order to completely remove itself from the system as response to the uninstall and update commands, the virus injects some code in a remotely-created thread in Windows Explorer; that code is the one that deletes the executable file).
Two main threads are created for mass-mailing: one that scans files to harvest email addresses and one that creates messages and sends them to those addresses. Email addresses are gathered from the Windows Address Book, from the Temporary Internet Files folder (and sub-folders, up to 5 levels) and (in a loop) from the system drive and all fixed/ramdisk drives (and subfolders, up to 15 levels). The following files are scanned:
- files with no extension (max. size: 20480 bytes);
- *.txt (max. size: 81920 bytes);
- *.htm*, *.sht*, *.php*, *.asp*, *.dbx*, *.adb*, *.pl (max. size: 204800 bytes);
- *.tbb* (max. size: 1228800 bytes);
- *.wab* (max. size: 8 MB).
Addresses with name or domain containing some not worth mentioning sub-strings are avoided.
The other thread checks if an Internet connection is available before starting to send email messages in the format described above. The "From" field of messages is forged with another address in the list (in most of the cases) or with @{ "aol.com", "msn.com" or "yahoo.com" }; under certain circumstances (if at least 3 addresses are in the list, but all of them were already sent messages and if more than 6 seconds passed since the last new address was found), an automatically generated email address (with name-part taken from a hard coded list and domain-part copied from that of another address) is added to the list. Emails are sent by directly connecting to the recipient's mail server.
The worm will connect to other computers in the LAN/Internet and send them some SMB packets that cause the Local Security Authority System Service to fail and execute code in those packets (on unpatched Windows systems). The exploit code creates a "shell" on TCP port 4332. The virus connects to the successfully opened shells and commands the exploited computers to download the virus from the local FTP server (created by the virus) and run it.
The local IP a.b.c.d is obtained; if c is greater than 20 and in 60% of the other cases, the IP of the first computer that the virus tries to exploit is a.b.c.d+1 (if c is greater than 20 a random number between 0 and 19 is subtracted from c); in the other cases, the first IP is chosen randomly. The worm attempts to exploit 30 consecutive IP's in a loop; the loop is infinite.Last update 21 November 2011
