Content

W32/Mytob.el@MM

Type
Virus
SubType
E-mail
Discovery Date
07/09/2005
Length
32,804 bytes
Minimum DAT
4532 (07/11/2005)
Updated DAT
4744 (04/19/2006)
Minimum Engine
5.1.00
Description Added
07/09/2005
Description Modified
07/09/2005 3:58 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. 

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

Subject: (Varies, such as):

  • Notice of account limitation
  • Email Account Suspension
  • Security measures
  • Members Support
  • Important Notification
  • Warning Message: Your services near to be closed.
  • Your Account is Suspended For Security Reasons
  • *DETECTED* Online User Violation
  • Your Account is Suspended
  • Your new account password is approved
  • You have successfully updated your password
  • Your password has been successfully updated
  • Your password has been updated

Body:  (blank)

Attachment: (Varies - chooses from the following list of prefaces)

  • account-report
  • readme
  • document
  • account-info
  • email-details
  • account-details
  • important-details
  • accepted-password
  • account-password
  • approved-password
  • password
  • new-password
  • email-password
  • updated-password
  • random

The attachment name may have one or two file extensions, in which case multiple spaces may be inserted as well, for example:

  • document.htm  (many spaces)  .pif

Extensions: (Varies, chooses from the following list)

First extension:

  • doc
  • txt
  • htm

Final extension:

  • bat
  • cmd
  • exe
  • scr
  • pif

These are examples of common names, but they can also be random.  The file may also arrive in a ZIP archive.

Installation

When the attachment is run, the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as taskgmr.exe. 

The worm also creates the following files:

  • %Sysdir%\m0use.exe  (copy of the worm)

The Hosts file (typically found in C:\Windows\System32\Drivers\etc\) is also appended to direct several security websites to the local host, so they cannot be accessed.This file is detected and cleaned as Qhosts.apd.

Registry keys are created to load the worm at startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "Userinterface Report3r" = M0USE.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Userinterface Report3r" = M0USE.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices "Userinterface Report3r" = M0USE.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe M0USE.exe

Symptoms

The Backdoor bot functionality in the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

  • name.turkintikamtugayi.com (TCP 7745)

Method of Infection

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

  • wab
  • adb
  • tbb
  • dbx
  • asp
  • php
  • sht
  • htm
  • cgi
  • jsp
  • txt
  • xml

The worm avoids certain address, those using the following strings:

  • accoun
  • certific
  • listserv
  • ntivi
  • support
  • icrosoft
  • admin
  • page
  • the.bat
  • gold-certs
  • ca
  • feste
  • submit
  • not
  • help
  • service
  • privacy
  • somebody
  • no
  • soft
  • contact
  • site
  • rating
  • bugs
  • me
  • you
  • your
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • webmaster
  • postmaster
  • samples
  • info
  • root
  • be_loyal:
  • mozilla
  • utgers.ed
  • tanford.e
  • pgp
  • acketst
  • secur
  • isc.o
  • isi.e
  • ripe.
  • arin.
  • sendmail
  • rfc-ed
  • ietf
  • iana
  • usenet
  • fido
  • linux
  • kernel
  • google
  • ibm.com
  • fsf.
  • gnu
  • mit.e
  • bsd
  • math
  • unix
  • berkeley
  • foo.
  • .mil
  • gov.
  • .gov
  • ruslis
  • nodomai
  • mydomai
  • example
  • inpris
  • borlan
  • sopho
  • panda
  • icrosof
  • syma
  • avp
  • .edu
  • abuse
  • www

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

  • gate.
  • ns.
  • relay.
  • mail1.
  • mxs.
  • mx1.
  • smtp.
  • mail.
  • mx.  

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Net-Worm.Win32.Mytob.bt (AVP)
  • WORM_MYTOB.HS (Trend)

Characteristics

Characteristics -

This detection is for a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. 

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

Subject: (Varies, such as):

  • Notice of account limitation
  • Email Account Suspension
  • Security measures
  • Members Support
  • Important Notification
  • Warning Message: Your services near to be closed.
  • Your Account is Suspended For Security Reasons
  • *DETECTED* Online User Violation
  • Your Account is Suspended
  • Your new account password is approved
  • You have successfully updated your password
  • Your password has been successfully updated
  • Your password has been updated

Body:  (blank)

Attachment: (Varies - chooses from the following list of prefaces)

  • account-report
  • readme
  • document
  • account-info
  • email-details
  • account-details
  • important-details
  • accepted-password
  • account-password
  • approved-password
  • password
  • new-password
  • email-password
  • updated-password
  • random

The attachment name may have one or two file extensions, in which case multiple spaces may be inserted as well, for example:

  • document.htm  (many spaces)  .pif

Extensions: (Varies, chooses from the following list)

First extension:

  • doc
  • txt
  • htm

Final extension:

  • bat
  • cmd
  • exe
  • scr
  • pif

These are examples of common names, but they can also be random.  The file may also arrive in a ZIP archive.

Installation

When the attachment is run, the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as taskgmr.exe. 

The worm also creates the following files:

  • %Sysdir%\m0use.exe  (copy of the worm)

The Hosts file (typically found in C:\Windows\System32\Drivers\etc\) is also appended to direct several security websites to the local host, so they cannot be accessed.This file is detected and cleaned as Qhosts.apd.

Registry keys are created to load the worm at startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "Userinterface Report3r" = M0USE.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Userinterface Report3r" = M0USE.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices "Userinterface Report3r" = M0USE.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe M0USE.exe

Symptoms

Symptoms -

The Backdoor bot functionality in the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

  • name.turkintikamtugayi.com (TCP 7745)

Method of Infection

Method of Infection -

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

  • wab
  • adb
  • tbb
  • dbx
  • asp
  • php
  • sht
  • htm
  • cgi
  • jsp
  • txt
  • xml

The worm avoids certain address, those using the following strings:

  • accoun
  • certific
  • listserv
  • ntivi
  • support
  • icrosoft
  • admin
  • page
  • the.bat
  • gold-certs
  • ca
  • feste
  • submit
  • not
  • help
  • service
  • privacy
  • somebody
  • no
  • soft
  • contact
  • site
  • rating
  • bugs
  • me
  • you
  • your
  • someone
  • anyone
  • nothing
  • nobody
  • noone
  • webmaster
  • postmaster
  • samples
  • info
  • root
  • be_loyal:
  • mozilla
  • utgers.ed
  • tanford.e
  • pgp
  • acketst
  • secur
  • isc.o
  • isi.e
  • ripe.
  • arin.
  • sendmail
  • rfc-ed
  • ietf
  • iana
  • usenet
  • fido
  • linux
  • kernel
  • google
  • ibm.com
  • fsf.
  • gnu
  • mit.e
  • bsd
  • math
  • unix
  • berkeley
  • foo.
  • .mil
  • gov.
  • .gov
  • ruslis
  • nodomai
  • mydomai
  • example
  • inpris
  • borlan
  • sopho
  • panda
  • icrosof
  • syma
  • avp
  • .edu
  • abuse
  • www

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

  • gate.
  • ns.
  • relay.
  • mail1.
  • mxs.
  • mx1.
  • smtp.
  • mail.
  • mx.  

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A