W32/MyTob.FJ!worm.im - Released Mar 28, 2007 - Last Updated Apr 27, 2007
|
Alias/esNet-Worm.Win32.Mytob.fj, WORM_MYTOB.ACE, W32/Mytob-KD, W32/Mytob.QT.worm |
Detection Availability
|
Visible SymptomsThe file "ctech.exe" exists in the %SYSTEM% folder.
Possible firewall alert that an executable is attempting to connect to the internet.
Possible termination of the firewall or other security applications, including antivirus monitors.
Compromised systems may be slow to respond due to heavy outbound traffic on TCP port 25 (SMTP email).
Inability to connect with certain security websites after becoming infected. |
Detailed Analysis
AutoStart Mechanism
Creates a copy of itself to the %SYSTEM% folder as "ctech.exe".
Adds the following registry entries:
"WINDOWS SYSTEM" = "ctech.exe"
to the following registry subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Email Propagation
The virus harvests email addresses from the Windows Address Book and from files with one of these extensions:
- txt
- htm
- sht*
- jsp*
- cgi*
- xml*
- php*
- asp*
- dbx*
- tbb*
- adb*
- html
- wab
and uses its own SMTP engine to send itself to those addresses.
Avoids sending a copy of itself to email addresses that contain any of the following strings:
- abuse
- accoun
- admin
- anyone
- bsd
- bugs
- certific
- contact
- spam
- feste
- gold-certs
- google
- help
- icrosoft
- info
- linux
- listserv
- nobody
- noone
- not
- nothing
...
Avoids sending a copy of itself to email addresses that contain any of the following strings in the domain name:
- .gov
- .mil
- avp
- berkeley
- borlan
- bsd
- example
- fido
- foo.
- fsf.
- gnu
- google
- gov.
- sopho
- syma
- tanford.e
- unix
- usenet
...
Appends the following prefixes to domain names to search for an available SMTP server:
- mx.
- mail.
- smtp.
- mx1.
- mxs.
- mail1.
- relay.
- ns.
- gate.
The email has the following characteristics:
Subject: any of the following:
- Your Account is Suspended
- *DETECTED* Online User Violation
- Your Account is Suspended For Security Reasons
- Warning Message: Your services near to be closed.
- Important Notification
- Members Support
- Security measures
- Email Account Suspension
- Notice of account limitation
- Your password has been updated
- Your password has been successfully updated
- You have successfully updated your password
- Your new account password is approved
Attachment: [Filename].[Extension]
[Filename] can be any one of the following:
- updated-password
- account-info
- email-password
- new-password
- password
- approved-password
- account-password
- accepted-password
- important-details
- email-details
- account-info
- document
- readme
- account-report
[Extension] can be any one of the following:
The attachment may also be a .zip file containing a copy of the worm with double extensions. The copy of the worm will have doc, htm or txt as the first extension, and exe, pif or scr as the second extension.
Backdoor/Trojan Behavior
Modifies the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = "dword:4" (The default value is 3)
Prevents the infected system from connecting to update servers and various other security related web pages by adding the following to the local HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
|
Attempts to terminate the following processes, some of which may be security-related:
- ACKWIN32.EXE
- ADAWARE.EXE
- ADVXDWIN.EXE
- AGENTSVR.EXE
- AGENTW.EXE
- ALERTSVC.EXE
- ALEVIR.EXE
- ALOGSERV.EXE
- AMON9X.EXE
- ANTI-TROJAN.EXE
- ANTIVIRUS.EXE
- ANTS.EXE
- APIMONITOR.EXE
- APLICA32.EXE
- APVXDWIN.EXE
- ARR.EXE
- ATCON.EXE
- ATGUARD.EXE
- ATRO55EN.EXE
- ATUPDATER.EXE
- ATWATCH.EXE
- AU.EXE
- AUPDATE.EXE
- AUTODOWN.EXE
- AUTO-PROTECT.NAV80TRY.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AVCONSOL.EXE
- AVE32.EXE
- AVGCC32.EXE
- AVGCTRL.EXE
- AVGNT.EXE
- AVGSERV.EXE
- AVGSERV9.EXE
- AVGUARD.EXE
- AVGW.EXE
- AVKPOP.EXE
- AVKSERV.EXE
- AVKSERVICE.EXE
- AVKWCTl9.EXE
- AVLTMAIN.EXE
- AVNT.EXE
- AVP.EXE
- AVP32.EXE
- AVPCC.EXE
- AVPDOS32.EXE
- AVPM.EXE
- AVPTC32.EXE
- AVPUPD.EXE
- AVSCHED32.EXE
- AVSYNMGR.EXE
- AVWINNT.EXE
- AVWUPD.EXE
- AVWUPD32.EXE
- AVWUPSRV.EXE
- AVXMONITOR9X.EXE
- AVXMONITORNT.EXE
- AVXQUAR.EXE
- BACKWEB.EXE
- BARGAINS.EXE
- BD_PROFESSIONAL.EXE
- BEAGLE.EXE
- BELT.EXE
- BIDEF.EXE
- BIDSERVER.EXE
- BIPCP.EXE
- BIPCPEVALSETUP.EXE
- BISP.EXE
- BLACKD.EXE
- BLACKICE.EXE
- BLSS.EXE
- BOOTCONF.EXE
- BOOTWARN.EXE
- BORG2.EXE
- BPC.EXE
- BRASIL.EXE
- BS120.EXE
- BUNDLE.EXE
- BVT.EXE
- CCAPP.EXE
- CCEVTMGR.EXE
- CCPXYSVC.EXE
- CDP.EXE
- CFD.EXE
- CFGWIZ.EXE
- CFIADMIN.EXE
- CFIAUDIT.EXE
- CFINET.EXE
- CFINET32.EXE
- CLAW95CF.EXE
- CLEAN.EXE
- CLEANER.EXE
- CLEANER3.EXE
- CLEANPC.EXE
- CLICK.EXE
- CMD.EXE
- CMD32.EXE
- CMESYS.EXE
- CMGRDIAN.EXE
- CMON016.EXE
- CONNECTIONMONITOR.EXE
- CPD.EXE
- CPF9X206.EXE
- CPFNT206.EXE
- CTRL.EXE
- CV.EXE
- CWNB181.EXE
- CWNTDWMO.EXE
- DATEMANAGER.EXE
- DCOMX.EXE
- DEFALERT.EXE
- DEFSCANGUI.EXE
- DEFWATCH.EXE
- DEPUTY.EXE
- DIVX.EXE
...
Connects to an IRC server to await instructions and commands from a malicious user. These commands can cause the infected machine to perform any of the following actions:
- Download and execute files
- Send confidential information, such as the user name, passwords, etc, to the remote intruder
- List and terminate services and processes
- Remove, update, or terminate this worm
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
