Visible Symptoms
- Security, Antivirus and debugging software programs
and services suddenly terminate after opening an email
attachment
- Creation of the file "picx.exe" into the
System32 folder
- Unable to connect with various security websites
after becoming infected
- High CPU usage and utilization due to routines of
the virus on an infected system
Detailed AnalysisThis variant of MyTob is very similar to existing variants
in that it is coded using Visual C, and contains instructions
to spread to other systems using SMTP email.
The virus also has the following characteristics -
- blocks certain AV and security
websites by altering the local "HOSTS" file
- may terminate firewall, security
or debugging applications, programs and processes
Loading at Windows startup
If the threat is run manually, it will copy itself to
the local system in several places -
C:\WINNT\system32\picx.exe
The virus will register itself to load at Windows startup
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"PIC SYSTEM" = picx.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"PIC SYSTEM" = picx.exe
The virus carries a list of applications, programs
and services that it will attempt to close or terminate.
SMTP mass-mailing routine
The virus has instructions to send a copy of itself
to contacts found in files of certain extensions. This
virus appears to have borrowed the same harvest and
exclusion routines as found in the W32/Mydoom virus
family. The captured addresses are used as targets for
the mailing routine. As with other viruses using this
technique, the virus will avoid selecting email addresses
containing certain strings. The email message is crafted
using hard-coded values stored in the encrypte virus
body. The "From" address is spoofed and may
use one of three names, then associate them with the
target email address domain such as -
register@recipientdomain.com
mail@recipientdomain.com
administrator@recipientdomain.com
webmaster@recipientdomain.com
This is to add credibility to the email message, elevating
the chance the recipient will open the attachment. The
email attachment will have a .ZIP file extension.
HOSTS modification routine
This variant alters the local "HOSTS" file
in an effort to block access to Antivirus and security
related web addresses. The virus overwrites the "HOSTS"
file with misconfigured information so that attempts
to reach certain addresses resolve to the IP 127.0.0.1,
also known as "localhost". The changes to
the file are similar to the example below -
127.0.0.1
www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
|