HOME > VIRUS ALERTS


   VIRUS ALERTS

WORM_MYTOB@mm and variants

Original issue date: April 20, 2006

It has been observed that several variants of MYTOB worm reported earlier are spreading in the wild. Some of the variants are WORM_MYTOB.PG (aliases Malware.p, W32.Mydoom!gen, Win32/Rbot.EXW ), WORM_MYTOB.PH(aliases Malware.p, W32.Mytob@mm ), WORM_MYTOB.PI( aliases W32/Mytob.VF@mm ), WORM_MYTOB.PP(aliases Malware.p, W32.Mytob@mm, W32/Mytob.VG@mm ), WORM_MYTOB.PW, WORM_MYTOB.PX.

These are mass mailing worms which also propagate via peer-to-peer networks, network shares, instant messenger, IRC and certain vulnerabilities in Windows systems. While propagating via peer to peer network drops their copies in folders which are mostly related to popular peer-to-peer (P2P) file-sharing applications. While spreading through network shares searches for the default IPC$ share, where they drop a copy of themselves.

Some of the features of these worms are:

  • Capable of spreading by adding a copy of them to WinRAR archives that are not password-protected.
  • Scans compromised machine for the email addresses and send their copies to those email addresses using their own SMTP engine.
  • Avoid sending emails to email addresses which contain certain strings.
  • Copies of the worm contain interesting names to entice user to download the file. While propagating via IRC and instant messenger sends various messages which contain malicious links.
  • Some of the variants take advantage of some of the windows vulnerabilities.
  • Some of the variants have backdoor capability and acts as a server program controlled by an Internet Relay Chat (IRC) bot.

Activities of these MYTOB variants after execution:

  • Creates following registry entry to ensure its automatic execution at every system startup:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Run
    begins = "%System%\0.exe
  • modifies the value of the following registry entry, which pertains to Internet Connnection Service (ICS) and Windows Firewall services:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\SharedAccess
    Start = “dword:00000004”
  • Gathers email addresses from files with the extensions like .adb,.asp,.dbx,.htm,.php,.pl,.sht ,.tbb,.txt,.wab. there worms may also generate email addresses using some specific strings and some specific domains.
  • Some variants such as WORM_MYTOB.PW modifies system's HOST file, which contains hostname to IP address mappings. The said file can be found in the following folders:
    %System%\drivers\etc
    %Windows%
    said action is to prevent access to antivirus and security related websites such as:
    sophos.com
    symantec.com
    trendmicro.com
    www.f-secure.com
  • Some variants like WORM_MYTOB.PW, WORM_MYTOB.PP have backdoor capability. They open random port and connects to Internet Relay Chat (IRC) server such as: tob.majesticwin.com, xd34thx.guccino.us. Once connected, it joins some IRC channel , where it listens for the commands from a remote malicious user such as:

    Perform basic IRC commands
    Send email messages
    Download files
    Get system information

  • Terminates processes related to antivirus, security and monitoring applications.
  • The email message constructed by the worm contains the attachment such as:

    • accepted-password
    • account-password
    • approved-password
    • email-password
    • new-password
    • password
    • updated-password
    • data
    • doc
    • document
    • file
    • message
    • readme
    • text
    • avoxpmw.zip
    • enaqny.zip
    • erbgwcrejlvwjrvcg.zip
    • euldl.zip
    • gehfwufqufsuo.zip
    • gewhutswqsut.zip
    • hra.zip
    • ntz.zip
    • pae.zip
    • password.zip
    • penvtr.zip
    • ptd.zip
    • qeuaswstutsu.zip
    • qguwqrelelt.zip
    • qlureltusqtuqft.zip
    • qsuqluergtqswzx.zip
    • reulqurelretl.zip
    • swfutust.zip
    • tsauwstureg.zip
    • wnd.zip
    • wxstwqstuqt.zip
    • yeinlhm.zip

  • The email message constructed by the worm contains the subject such as:

    • Account closure
    • ACCOUNT TERMINATION
    • email support
    • Enduser termination
    • staff
    • {Blank}
    • {Random}
    • error
    • hello
    • hi
    • mail delivery system
    • mail transaction failed
    • server error
    • server report
    • status
    • test
    • You have successfully updated your password
    • Your new account password is approved
    • Your password has been successfully updated
    • Your password has been updated

    Some of them may be with of the following extensions:

    • .cmd
    • .scr
    • .bat
    • .exe
    • .pif
  • uses a list of user names and passwords to gain access to password-protected shares.
  • some of the variants searches the affected system for the existence of some specific folders, which are mostly related to popular P2P file-sharing applications such as :
    C:\Program Files\eDonkey2000\Incoming
    C:\Program Files\Files\Kazaa Lite\My Shared Folder
    they also searches for any folder with the string, My Shared Folder.
    these worms uses different file names for different P2P applications. Using good social engineering.
  • Some of the variants creates the an IRC script file that automatically sends a message to users who joined a specific IRC channel. Message has the following format:

    {Nickname} just look at this brother http://{Sender's IP address}:2001/Hot.pif
    worms may use any of the following file names to include in the link it sends:
    crazy5.scr
    crazyjump.scr
    exposed.scr
    funny2.scr
    funny3.scr
    haha.scr
    lucky.scr
    mjackson.scr
    picture1.scr
  • Some of the worms are capable of spreading by adding a copy of itself to WinRAR archives that are not password-protected. It uses the file name {Random}.COM .
  • Some variants like WORM_MYTOB.PI creates the mutex H-E-L-L-B-O-T to ensure that only one instance of itself is running in memory.
  • Some variants take advantage of the following Windows vulnerabilities to propagate across networks:

    WebDAV vulnerability (described in microsoft security bulletin MS03-007)
    Windows RPC-DCOM vulnerability     (described in CERT-In advisory CAID-2003-09)
    Windows LSASS vulnerability     (described in CERT-In advisory CAID-2004-10)

In view of rapid propagation and high damage potential of these MYTOB variants, users are advised to implement following countermeasures:

  • Install and maintain a updated anti-virus software at gateway and desktop level
  • Filter emails with abovementioned subject lines and attachments at the gateway
  • Keep up-to-date on patches and fixes on the operating system and application software
  • Exercise caution while opening email attachments

References:

Trend Micro http://www.trendmicro.com/vinfo/virusencyclo/default5.asp
?VName=WORM%5FMYTOB%2EPX
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp
?VName=WORM%5FMYTOB%2EPW&VSect=P
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp
?VName=WORM%5FMYTOB%2EPI
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp
?VName=WORM%5FMYTOB%2EPH
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp
?VName=WORM%5FMYTOB%2EPG

Symantec
http://www.symantec.com/avcenter/venc/data/
w32.mytob@mm.html
http://www.symantec.com/avcenter/venc/data/
w32.mydoom!gen.html

Computer Associates
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=53660

McAfee
http://vil.nai.com/vil/content/v_135508.htm

Authentium
http://www.authentium.com/support/AVMatrix/ VirusDefList.aspx

CERT-In
http://cert-in.org.in/virus/worm-mytob-mx.htm
http://cert-in.org.in/virus/worm-mytob-cu.htm
http://cert-in.org.in/virus/worm-mytob%20.htm

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91 11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003