W32/MyTob.ND@mm

Alias/esNet-Worm.Win32.Mytob.bi [KAV], W32.Mytob.LE@mm [NAV], W32/Mytob-BY [Sophos], W32/Mytob.gp@MM [McAfee], W32/MyTob.ND@mm, W32/Mytob.ND@mm [F-Prot], WORM_MYTOB.LW [Trend]
Release DateMay 12, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.323
Description

Visible Symptoms

  • Security, Antivirus and debugging software programs and services suddenly terminate after opening an email attachment

  • Creation of the file "msvgr.exe" into the System32 folder

  • Unable to connect with various security websites after becoming infected

  • High CPU usage and utilization due to routines of the virus on an infected system

Detailed Analysis

This variant of MyTob is very similar to existing variants in that it is coded using Visual C, and contains instructions to spread to other systems using SMTP email.

The virus also has the following characteristics -

  • may connect to the IRC server named "z101.sytes.net" and await commands from a malicious user

  • blocks certain AV and security websites by altering the local "HOSTS" file

  • may terminate firewall, security or debugging applications, programs and processes

Loading at Windows startup
If the threat is run manually, it will copy itself to the local system in several places -

C:\WINNT\system32\msvgr.exe

The virus is packed with a utility known as PESpin. The virus will register itself to load at Windows startup -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"MsWinVgr" = msvgr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"MsWinVgr" = msvgr.exe

App Termination Routine
The virus carries a list of applications, programs and services that it will attempt to close or terminate such as this short list of examples-

NEC.EXE
TASKMGR.EXE
CMD.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
ZONEALARM.EXE
ZONALM2601.EXE
ZATUTOR.EXE
ZAPSETUP3001.EXE
ZAPRO.EXE
XPF202EN.EXE
WYVERNWORKSFIREWALL.EXE
WUPDT.EXE
WUPDATER.EXE
WSBGATE.EXE
WRCTRL.EXE
WRADMIN.EXE
WNT.EXE
WNAD.EXE
WKUFIND.EXE
WINUPDATE.EXE
WINTSK32.EXE
WINSTART001.EXE
WINSTART.EXE
WINSSK32.EXE
WINSERVN.EXE
WINRECON.EXE
WINPPR32.EXE
 WINNET.EXE
WINMAIN.EXE
WINLOGIN.EXE
WININITX.EXE
WININIT.EXE
WININETD.EXE
WINDOWS.EXE
WINDOW.EXE
WINACTIVE.EXE
WIN32US.EXE
WIN32.EXE
WIN-BUGSFIX.EXE
WIMMUN32.EXE
WHOSWATCHINGME.EXE
WFINDV32.EXE
WEBTRAP.EXE
WEBSCANX.EXE
WEBDAV.EXE
WATCHDOG.EXE
W9X.EXE
W32DSM89.EXE
VSWINPERSE.EXE
VSWINNTSE.EXE
VSWIN9XE.EXE
VSSTAT.EXE
VSMON.EXE
VSMAIN.EXE
VSISETUP.EXE
VSHWIN32.EXE ...

The list used by the virus is quite extensive.

SMTP mass-mailing routine
The virus has instructions to send a copy of itself to contacts found in files of certain extensions. This virus appears to have borrowed the same harvest and exclusion routines as found in the W32/Mydoom virus family. Email addresses are sampled from files having these extensions -

  • txt
  • htm
  • shtl
  • jspl
  • cgil
  • xml
  • php
  • asp
  • dbx
  • tbb
  • adb
  • htm
  • wab

The captured addresses are used as targets for the mailing routine. As with other viruses using this technique, the virus will avoid selecting email addresses containing certain strings. The email message is crafted using hard-coded values stored in the encrypte virus body. The "From" address is spoofed and may use one of three names, then associate them with the target email address domain such as -

register@recipientdomain.com
mail@recipientdomain.com
administrator@recipientdomain.com

This is to add credibility to the email message, elevating the chance the recipient will open the attachment.

The virus carries hard-coded message bodies and sends email with varying body text. The possible body text are selected from these choices, where "%s" is the recipient's domain address -


Dear user %s,

You have successfully updated the password of your %s account.

If you did not authorize this change or if you need assistance with your account, please contact %s customer service at: %s

Thank you for using %s!
The %s Support Team






+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.%s


Dear user %s,

It has come to our attention that your %s User Profile ( x ) records are out of date. For further details see the attached document.

Thank you for using %s!
The %s Support Team






+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.%s


Dear %s Member,

We have temporarily suspended your email account %s.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your %s account.

Sincerely,The %s Support Team






+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.%s


Dear %s Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,
The %s Support Team






+++ Attachment: No Virus found
+++ %s Antivirus - www.%s

The email attachment will have a .ZIP file extension and have names similar to these -

updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report

Backdoor functionality
The virus connects with the IRC server 'z101.sytes.net' in order to receive instructions from a malicious user. Instructions include some of the following -

mailstart
mailstop
raw
remove
botcash
download
sysinfo
reconnect
disconnect

HOSTS modification routine
This variant alters the local "HOSTS" file in an effort to block access to Antivirus and security related web addresses. The virus overwrites the "HOSTS" file with misconfigured information so that attempts to reach certain addresses resolve to the IP 127.0.0.1, also known as "localhost". The virus affects connection attempts to the following domains -

www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
kaspersky-labs.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
pandasoftware.com
www.pandasoftware.com
www.trendmicro.com
www.grisoft.com
www.microsoft.com
microsoft.com
www.virustotal.com
virustotal.com
www.amazon.com
www.amazon.co.uk
www.amazon.ca
www.amazon.fr
www.paypal.com
paypal.com
moneybookers.com
www.moneybookers.com
www.ebay.com
ebay.com

Miscellaneous
This virus has some text strings that are never displayed but yield some insight into the recent surge in MyTob variants -

H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H
The source of this worm has been released to public. irc server: irc.powerirc.net #ccpower . thx to everyone.

This virus creates the Mutex "H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H" when it is active.

Description Last Updated Date: Mar 13, 2007
Reference: ID - 99585