This application requires Javascript for optimal performance.

W32/MyTob.QB@mm - Released Dec 31, 2005 - Last Updated Mar 13, 2007

Alias/es

I-Worm/Mytob.AEW [AVG], W32/Mytob-GK [Sophos], W32/MyTob.NU!mm, W32/MyTob.QB@mm, W32/Mytob.QB@mm [F-Prot], Worm.Mytob.KN [ClamAV], WORM_MYTOB.NU [Trend]

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Possible firewall alert that an executable attempting to connect to the Internet and function as a server

  • Possible termination of the firewall or other security application, including Antivirus monitors

  • Compromised systems may be slow to respond due to heavy outbound traffic on TCP port 25 (SMTP email)

  • Creation of a viral file into the System32 folder named "winsvc32.exe"

Detailed Analysis

All MyTob viruses have these characteristics:

  • copy itself to the local system

  • search for email addresses in files

  • send itself by SMTP [self contained engine]

Some variants have these additional characteristics:

  • connect with an IRC server to receive instructions or await commands from a malicious user

  • prevent the infected system from connecting to update servers and various other security related web pages - this is done by hacking the local "hosts" file and adding entries redirecting the call to specific web sites by domain name to the local host

  • try to connect with random IP addresses to infect systems using an RPC DCOM / LSASS exploit combo

The variants will differ slightly with regard to packed file size and actual file names created on the host however the functionality of the viruses remain the same.

Specific Properties

  • writes the file "winsvc32.exe" to the System32 folder, with the following autostart registry entry

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Windows Services32" = winsvc32.exe

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    "Windows Services32" = winsvc32.exe

  • blocks access to numerous security and online banking web sites by modifying the local "hosts." file

  • sends emails in HTML format body texts where %s is the domain portion of the recipient's email address

    Dear Customer,

    We received several abuse complaints concerning your online activity.
    As we do not support any illegal activities on our network, this cannot be tolerated.
    For more info about the illegal actions, check the attached document.
    Please verify if your info in the abuse report is correct, that we know if legal action has to be taken.

    Yours Sincerely, The %s Abuse Department


  • the email attachment is a copy of the virus

  • connects to an IRC server named 'o.isra3l.com' and connects to the channel "31337" to await instructions and commands from a malicious user

  • terminates threads and applications matching a built-in file name dictionary of common security and antivirus apps

Miscellaneous
When this virus is resident in memory, it creates a Mutex named "31337". When joining the IRC server, the virus may send the following message into the channel:

starting MyTob::v3.5 beta

In the informal language "hackerese", the numbers 31337 translate to "ELEET". For years, hackers and virus authors have desired to elevate their skills by calling themselves "elite" programmers.

Recommended Action



    FortiGate systems:

  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option


Reference: ID - 140752