W32/Kidala.A!worm.im

Alias/es

Net-Worm.Win32.Mytob.ef [KAV], New Malware.p [McAfee], W32.Olmi.A@mm [SAV], W32/Kidala.a@MM [McAfee], W32/MyTob.EF!worm.im, W32/MyTob.VI@mm, WORM_MYTOB.PL [TM]

Release Date

Apr 18, 2006

Detection Availability

Current Antivirus Definition Database Version: 12.338

Description

Visible Symptoms

Possible termination of security applications and services
Inability to lauch certain debugging programs and utility software
Inability to update AV software after becoming infected, or use online scanning resources to check for virus activity

Detailed Analysis

This virus contains code to do these tasks:

send itself to email addresses found on an infected system
uses known vulnerable exploit attacks that it may cycle through to try and infect systems connected on a network
terminate programs and services
send itself to others on IRC channels
send itself to others across AIM Instant Messenger
spread by virtue of sharing virus files on P2P networks LimeWire, eDonkey2000, iMesh, Kazaa, Morpheus
respond to command and instructions sent by a malicious user

Email Spreading Routine
The virus will compose emails to addresses found on the infected system. The email message will contain an infectious file attachment.

Exploit Vector Attack
This virus contains numerous attack vectors that it could use to attack and infect a system by exploiting it with buffer overflow attack techniques. All of the techniques used by the virus are patched by updates from Microsoft.

This is a list of most of the exploits used by the virus -

Services probably running
that are exploited:

DCOM135
DCOM445
DCOM1025
WebDav
WksSvc
WksSvc2
WINS
NetDDE
Svchost
THCSQL
PnP
PnP2
uPnP
Dameware
IIS5SSL
LSASS
MSSQL
Windows Messenger Viruses or Trojans that have
open port backdoor access:

Beagle/Bagle
Kuang2
MyDoom
NetDevil901
NetDevil903
Optix
Sub7

Security App and Service Termination
The virus will try to turn off services, or close applications that may be running at the time of infection. The virus uses a list that includes these -

AVPCC.EXE
AVKSERV.EXE
ECENGINE.EXE
FP-WIN.EXE
VETTRAY.EXE
ACKWIN32.EXE
AVNT.EXE
ESAFE.EXE
FPROT.EXE
F-PROT95.EXE
IOMON98.EXE
AVWIN95.EXE
AVE32.EXE
ANTI-TROJAN.EXE
_AVPCC.EXE
APVXDWIN.EXE
CLAW95CF.EXE
_FINDVIRU.EXE
FINDVIRU.EXE
NAVNT.EXE
VET95.EXE
SCAN32.EXE
RAV7.EXE
NAVAPW32.EXE
VSMAIN.EXE
GUARDDOG.EXE
RULAUNCH.EXE ALOGSERV.EXE
OGRC.EXE
NAVAPSVC.EXE
NSPLUGIN.EXE
NOD32.EXE
_AVPM.EXE
AMON.EXE
NAVWNT.EXE
NAVW32.EXE
SPIDER.EXE
AVPM.EXE
ATGUARD.EXE
KAVPF.EXE
BLACKICE.EXE
LOOKOUT.EXE
CMGRDIAN.EXE
IAMAPP.EXE
OUTPOST.EXE
OUTPOSTINSTALL.EXE
ZONEALARM.EXE
ZONALM2601.EXE
ZATUTOR.EXE
ZAPSETUP3001.EXE
ZAPRO.EXE
OUTPOSTPROINSTALL.EXE
ZONALARM.EXE

IRC Spreading Method
The virus will try to connect to IRC server 'irc.dal.net' and 'xd34thx.guccino.us' and send a copy of itself as 'film.scr' to IRC users that connect to the channel. While connected, the virus may respond to command instructions sent to it by a malicious user. Instructions could include any of these -

.STOPUDP
.QUIT
.PART
.DJOIN
.JOIN
.UPDATE
.DLOAD
.FLOOD
.LOAD
.PACKET

AIM Chat Spreading
The virus will try to send a copy of itself to contacts found within the AOL Instant Messenger client called AIM. The chat message sent to contacts could have any of these message lines of text -

look at this video
hehe, watch this
your going to like this :D
lol, don't forget to watch this video
LOL, this shit is funny

The virus will send a copy of itself as any of these file names -

crazy5.scr
exposed.scr
funny2.scr
funny1.scr
haha.scr
picture1.scr
mjackson.scr
lucky.scr
crazyjump.scr
funny3.scr

P2P Spreading Vector
The virus will copy itself to the sharing folders for five P2P file sharing clients. The files copied will have an executable extension such as .scr or .exe.

WarezP2P
nice_big_asshole_fuck_Jennifer_Lopez.scr
Madonna_the_most_sexiest_girl_in_the_world.com
Britney_Spears_sucks_someones_dick.scr
Mariah_Carey_showering_in_bathroom.com

LimeWire
Alcohol_120%%_patch
Outlook_hotmail+_fix
LimeWire_speed++
DarkAngel_Lady_get_fucked_so_hardly

eDonkey2000
Angilina_Jolie_Sucks_a_Dick
JenniferLopez_Film_Sexy_Enough
BritneySpears_SoSexy
DAP7.4.x.x_crack
NortonAV2006_Crack

iMesh
YahooMessenger_Loader
MSN7.0UniversalPatch
MSN7.0Loader
KAV2006_Crack
ZoneAlarmPro6.xx_Crack

Morpheus
TaskCatcher
Opera8
notepad++
lcc-win32_update
RealPlayerv10.xx_crack

Kazaa
nuke2006
office_crack
rootkitXP
dcom_patch
strip-girl-3.0
activation_crack
icq2006-final
winamp6

Miscellaneous
The virus sends itself as an attachment in an email message, with a size of 130Kb. The virus body is smaller, and only 48640, but the virus appends garbage data to the file to inflate its size, and to avoid detections based on a fixed file size and MD5 checksum. The virus also spoils efforts to identify infected users by spoofing the "From" field of email messages. This method is constant among the MyTob virus family.

Description Last Updated Date: Apr 25, 2006
Reference: ID - 314396