Content

W32/Mytob.aw@MM

Type
Virus
SubType
Email
Discovery Date
05/16/2005
Length
49,278 bytes
Minimum DAT
4501 (05/27/2005)
Updated DAT
4972 (02/27/2007)
Minimum Engine
5.1.00
Description Added
05/16/2005
Description Modified
05/27/2005 2:38 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. 

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

Subject: (Varies, such as):

  • Notice of account limitation
  • Your Email Account is Suspended For Security Reasons
  • Account Alert
  • Important Notification
  • DETECTED* Online User Violation
  • *WARNING* Your Email Account Will Be Closed
  • Security measures
  • Notice: **Last Warning**
  • Email Account Suspension

Body:  (Varies, such as) 

  • Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
  • The original message has been included as an attachment.
  • We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
  • We attached some important information regarding your account.
  • Please read the attached document and follow it's instructions.

Attachment: (Varies - chooses from the following list of prefaces)

  • info-tex
  • INFO
  • information
  • email-info
  • document
  • account-details
  • email-doc

The attachment name may have one or two file extensions, in which case multiple spaces may be inserted as well, for example:

  • document.htm  (many spaces)  .pif

Extensions: (Varies, chooses from the following list)

First extension:

  • doc
  • txt
  • htm

Final extension:

  • bat
  • cmd
  • exe
  • scr
  • pif

These are examples of common names, but they can also be random.  The file may also arrive in a ZIP archive.

Installation

When the attachment is run, the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as taskgmr.exe. 

The worm also creates the following files:

  • %Sysdir%\net.exe  (copy of the worm)

The Hosts file (typically found in C:\Windows\System32\Drivers\etc\) is also appended to direct several security websites to the local host, so they cannot be accessed.This file is detected and cleaned as Qhosts.apd.

Registry keys are created to load the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "WINDOWS SYSTEM" = nec.exe 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunServices "WINDOWS SYSTEM" = nec.exe 

Symptoms

The Backdoor bot functionality in the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

  • irc.blackcarder.net.

Method of Infection

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

  • wab
  • adb
  • tbb
  • dbx
  • asp
  • php
  • sht
  • htm
  • cgi
  • jsp
  • txt
  • xml

The worm avoids certain address, those using the following strings:

  • accoun
  • certific
  • listserv
  • ntivi
  • support
  • icrosoft
  • admin
  • page
  • the.bat
  • gold-certs
  • ca
  • feste
  • submit
  • not
  • help
  • service
  • privacy
  • somebody
  • no
  • soft
  • contact
  • site
  • rating
  • bugs
  • me
  • you
  • your
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • webmaster
  • postmaster
  • samples
  • info
  • root
  • be_loyal:
  • mozilla
  • utgers.ed
  • tanford.e
  • pgp
  • acketst
  • secur
  • isc.o
  • isi.e
  • ripe.
  • arin.
  • sendmail
  • rfc-ed
  • ietf
  • iana
  • usenet
  • fido
  • linux
  • kernel
  • google
  • ibm.com
  • fsf.
  • gnu
  • mit.e
  • bsd
  • math
  • unix
  • berkeley
  • foo.
  • .mil
  • gov.
  • .gov
  • ruslis
  • nodomai
  • mydomai
  • example
  • inpris
  • borlan
  • sopho
  • panda
  • icrosof
  • syma
  • avp
  • .edu
  • abuse
  • www

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

  • gate.
  • ns.
  • relay.
  • mail1.
  • mxs.
  • mx1.
  • smtp.
  • mail.
  • mx.  

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This detection is for a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. 

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

Subject: (Varies, such as):

  • Notice of account limitation
  • Your Email Account is Suspended For Security Reasons
  • Account Alert
  • Important Notification
  • DETECTED* Online User Violation
  • *WARNING* Your Email Account Will Be Closed
  • Security measures
  • Notice: **Last Warning**
  • Email Account Suspension

Body:  (Varies, such as) 

  • Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
  • The original message has been included as an attachment.
  • We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
  • We attached some important information regarding your account.
  • Please read the attached document and follow it's instructions.

Attachment: (Varies - chooses from the following list of prefaces)

  • info-tex
  • INFO
  • information
  • email-info
  • document
  • account-details
  • email-doc

The attachment name may have one or two file extensions, in which case multiple spaces may be inserted as well, for example:

  • document.htm  (many spaces)  .pif

Extensions: (Varies, chooses from the following list)

First extension:

  • doc
  • txt
  • htm

Final extension:

  • bat
  • cmd
  • exe
  • scr
  • pif

These are examples of common names, but they can also be random.  The file may also arrive in a ZIP archive.

Installation

When the attachment is run, the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as taskgmr.exe. 

The worm also creates the following files:

  • %Sysdir%\net.exe  (copy of the worm)

The Hosts file (typically found in C:\Windows\System32\Drivers\etc\) is also appended to direct several security websites to the local host, so they cannot be accessed.This file is detected and cleaned as Qhosts.apd.

Registry keys are created to load the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "WINDOWS SYSTEM" = nec.exe 
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunServices "WINDOWS SYSTEM" = nec.exe 

Symptoms

Symptoms -

The Backdoor bot functionality in the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

  • irc.blackcarder.net.

Method of Infection

Method of Infection -

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

  • wab
  • adb
  • tbb
  • dbx
  • asp
  • php
  • sht
  • htm
  • cgi
  • jsp
  • txt
  • xml

The worm avoids certain address, those using the following strings:

  • accoun
  • certific
  • listserv
  • ntivi
  • support
  • icrosoft
  • admin
  • page
  • the.bat
  • gold-certs
  • ca
  • feste
  • submit
  • not
  • help
  • service
  • privacy
  • somebody
  • no
  • soft
  • contact
  • site
  • rating
  • bugs
  • me
  • you
  • your
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • webmaster
  • postmaster
  • samples
  • info
  • root
  • be_loyal:
  • mozilla
  • utgers.ed
  • tanford.e
  • pgp
  • acketst
  • secur
  • isc.o
  • isi.e
  • ripe.
  • arin.
  • sendmail
  • rfc-ed
  • ietf
  • iana
  • usenet
  • fido
  • linux
  • kernel
  • google
  • ibm.com
  • fsf.
  • gnu
  • mit.e
  • bsd
  • math
  • unix
  • berkeley
  • foo.
  • .mil
  • gov.
  • .gov
  • ruslis
  • nodomai
  • mydomai
  • example
  • inpris
  • borlan
  • sopho
  • panda
  • icrosof
  • syma
  • avp
  • .edu
  • abuse
  • www

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

  • gate.
  • ns.
  • relay.
  • mail1.
  • mxs.
  • mx1.
  • smtp.
  • mail.
  • mx.  

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A