Content

W32/Mytob.ij@MM

Type
Virus
SubType
Email Worm
Discovery Date
10/24/2006
Length
88064 bytes (may vary)
Minimum DAT
4881 (10/25/2006)
Updated DAT
4882 (10/26/2006)
Minimum Engine
5.1.00
Description Added
10/24/2006
Description Modified
10/25/2006 12:11 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This variant of the Mytob family has the following high level characteristics.

  • Configures itself to load at startup
  • Queries mx records for harvested email addresses
  • Connects to an IRC server

The code suggests that this variant may also disable the system task manager using the following registry key.

  • Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

Subject: (Varies, such as)

  • Account Alert

Message Body:  (Varies, such as) 

Dear Valued Member,                                                 
According to our terms of services, you will have to confirm your e-mail by the following link, or your account will be suspended for security reasons.

After following the instructions in the sheet, your account will not be interrupted and will continue as normal.                                     
Thanks for your attention to this request. We apologize for any inconvenience.       

Sincerely, <DOMAIN> Abuse Department                                                                

Attachment: (Varies)

  • Confirmation_Sheet.pif

It can also arrives in an e-mail w/o an attachment as below:

From: (Spoofed, email sender)
Subject: (Varies, as such)

  • Account Alert

Message Body: (varies, as such)

Dear Valued Member,
According to our terms of services, you will have to confirm your e-mail
by the following link, or your account will be suspended for security
reasons.

http://(spoofed, e-mail sender domain)/confirm.php?account=virus.busters@(e-mail sender)


After following the instructions in the sheet, your account will not be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any
inconvenience.

Sincerely,  Abuse Department

The hyperlinks may be connecting to one of the following domain(s) which is hidden from the e-mail body:

  • nbmd.cn
  • yfcdavao.org

The worm will avoid domains with the following text

  • mcafee
  • symantec
  • sophos
  • bitdefender
  • avg
  • kaspersky
  • avast
  • nod32
  • vba32
  • antivir
  • avira
  • clamav
  • drweb
  • f-prot
  • etrust
  • fortinet
  • ikarus
  • norman
  • panda
  • thehacker
  • ewido
  • spm
  • fcnz
  • www
  • secur
  • abuse

The worm harvests the user profile directory for email addresses.  In addition, the worm will harvest email addresses from files with the following extensions:

  • txt
  • htm
  • sht
  • jsp
  • cgi
  • xml
  • php
  • asp
  • dbx
  • tbb
  • adb
  • wab

This variant of the worm does DNS requests to find the mail server by appending the following prefixes to the domain names harvested from the infected computer.

  • mx.
  • mail.
  • smtp.
  • mx1.
  • mxs.
  • mail1.
  • relay.
  • ns.
  • gate.

The Sdbot functionality in the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

  • r00ts-y0u.net

Symptoms

Generally symptoms for this variant are like other MyTobs.  Presence of the following registry keys or files may indicate the virus.  Additionaly increased processor utilization, dns, irc, or smtp traffic may indicate infection.

Files Changes

  • %SYSTEMDIR%\wmserv.exe ( 88064 bytes )

Registry Changes

The following registry keys are created:

  • hkey_local_machine\software\microsoft\windows\currentversion
    \runservices\windows email server="wmserv.exe"
  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \windows email server="wmserv.exe"

Method of Infection

This variant of MyTob spreads via email (as described in characteristics).

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. Its behavior is largely similar to other W32/Mytob variants.

Characteristics

Characteristics -

This variant of the Mytob family has the following high level characteristics.

  • Configures itself to load at startup
  • Queries mx records for harvested email addresses
  • Connects to an IRC server

The code suggests that this variant may also disable the system task manager using the following registry key.

  • Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

Subject: (Varies, such as)

  • Account Alert

Message Body:  (Varies, such as) 

Dear Valued Member,                                                 
According to our terms of services, you will have to confirm your e-mail by the following link, or your account will be suspended for security reasons.

After following the instructions in the sheet, your account will not be interrupted and will continue as normal.                                     
Thanks for your attention to this request. We apologize for any inconvenience.       

Sincerely, <DOMAIN> Abuse Department                                                                

Attachment: (Varies)

  • Confirmation_Sheet.pif

It can also arrives in an e-mail w/o an attachment as below:

From: (Spoofed, email sender)
Subject: (Varies, as such)

  • Account Alert

Message Body: (varies, as such)

Dear Valued Member,
According to our terms of services, you will have to confirm your e-mail
by the following link, or your account will be suspended for security
reasons.

http://(spoofed, e-mail sender domain)/confirm.php?account=virus.busters@(e-mail sender)


After following the instructions in the sheet, your account will not be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any
inconvenience.

Sincerely,  Abuse Department

The hyperlinks may be connecting to one of the following domain(s) which is hidden from the e-mail body:

  • nbmd.cn
  • yfcdavao.org

The worm will avoid domains with the following text

  • mcafee
  • symantec
  • sophos
  • bitdefender
  • avg
  • kaspersky
  • avast
  • nod32
  • vba32
  • antivir
  • avira
  • clamav
  • drweb
  • f-prot
  • etrust
  • fortinet
  • ikarus
  • norman
  • panda
  • thehacker
  • ewido
  • spm
  • fcnz
  • www
  • secur
  • abuse

The worm harvests the user profile directory for email addresses.  In addition, the worm will harvest email addresses from files with the following extensions:

  • txt
  • htm
  • sht
  • jsp
  • cgi
  • xml
  • php
  • asp
  • dbx
  • tbb
  • adb
  • wab

This variant of the worm does DNS requests to find the mail server by appending the following prefixes to the domain names harvested from the infected computer.

  • mx.
  • mail.
  • smtp.
  • mx1.
  • mxs.
  • mail1.
  • relay.
  • ns.
  • gate.

The Sdbot functionality in the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

  • r00ts-y0u.net

Symptoms

Symptoms -

Generally symptoms for this variant are like other MyTobs.  Presence of the following registry keys or files may indicate the virus.  Additionaly increased processor utilization, dns, irc, or smtp traffic may indicate infection.

Files Changes

  • %SYSTEMDIR%\wmserv.exe ( 88064 bytes )

Registry Changes

The following registry keys are created:

  • hkey_local_machine\software\microsoft\windows\currentversion
    \runservices\windows email server="wmserv.exe"
  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \windows email server="wmserv.exe"

Method of Infection

Method of Infection -

This variant of MyTob spreads via email (as described in characteristics).

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A