Home / malwarePDF  

Win32.Worm.Mytob.GZ.dam


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.Mytob.GZ.dam is also known as Net-Worm.Win32.Mytob.t, W32.Mytob.AI@mm, W32/Mytob.BT@mm, W32/Mytob.G.worm, Worm, W32/Mytob.GO.

Explanation :

The malware copies itself to
C:FUNNY_PIC.SCR
C:MY_PHOTO2005.SCR
C:SEE_THIS!!.SCR
%System%JUSCHED32.EXE,

drops the backdoor C:HELLMSN.exe (Backdoor.Faribot.A)

and sets the followings registry keys to "WINTASK DLL" = "jusched32.exe":
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
These registry keys are continously recreated by the malware, making their deletion useless as long as the malware is active.

Win32.Worm.Mytob.GZ.dam uses its own SMTP engine to spread by sending itself to e-mail adresses found in files on the infected computer.

It searches the Windows Address Book files in:
%Windir%Temporary Internet Files
%Userprofile%Local SettingsTemporary Internet Files
%System%
and all the adb, tbb, dbx, asp, php, sht, htm, pl files found on the computer.

It does not send itself to adresses containing:
abuse accoun
acketst admin
anyone arin
avp bugs
ca certific
contact example
feste fido
foo. fsf.
gnu gold-certs
google help
info linux
listserv me
no nobody
noone not
nothing ntivi
page postmaster
privacy rating
root samples
service site
soft somebody
someone submit
support unix
webmaster you
There are also some domain names that the malware does not send mail to
(examples: .edu, .gov, .mil, ibm.com, ...)

The body of the infected mail contains one of the following messages:
* Mail transaction failed. Partial message is available.
* The message contains Unicode characters and has been sent as a binary attachment.
* The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
* The original message was included as an attachment.
* Here are your banks documents.
The name of the attachment is composed by one of the words:
body
data
doc
document
file
message
readme
test
text
and one of the following extensions:
cmd bat exe scr pif zip

Besides sending itself by e-mail messages, the malware peforms the following undesired actions:

* Loads an FTP server that listens on a random TCP port.
* Blocks the access to some security sites by adding to the %System%DRIVERSETCHOSTS file the following lines:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
* Connects to an IRC channel and executes remote commands.

Last update 21 November 2011

 

TOP