W32/Mytob@mm

Analysis

This is a generic detection for several variants of the MyTob family. The variants will differ slightly with regard to packed file size and actual file names created on the host however the functionality of the viruses remain the same.

This threat was coded using Visual C, and contains instructions to spread to other systems using these methods -

• SMTP email
  
• networked systems
• RPC exploit [MS04-011]

The virus also has the following characteristics -

• can trick users that trust file icons into running it based on it's file icon resembling a graphic image file -- this technique prays upon users and systems with the default configuration of "do not display file extensions for known file types"
  
• has a built-in FTP daemon with the reference name "StnyFtpd", and may serve the file "wtfhe.exe" via the FTP daemon
  
• may connect to the IRC server named "fc.teensmutbox.com" and await commands from a malicious user
  
• blocks certain AV and security websites by altering the local "HOSTS" file
  
• carries an anti-Symantec Corporation payload

The virus borrows code from W32/Mydoom - this causes some AV scanners to identify this virus as a variant of the W32/Mydoom family.

Loading at Windows startup
If the threat is run manually, it will copy itself to the local system in root of the active drive and also commonly into the System32 folder. The names of the files dropped may have .SCR or .PIF file extensions as in these examples -

C:\my_picture.scr - copy of virus
C:\pic.scr - copy of virus
C:\see_this!.pif - copy of virus
C:\WINNT\system32\smsrss.exe - copy of virus

The virus has a file size in excess of 120,000 bytes. The virus will register itself to load at Windows startup usually from these keys -

HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

SMTP mass-mailing routine
The virus has instructions to send a copy of itself to contacts found in files of certain extensions. This virus appears to have borrowed the same harvest and exclusion routines as found in the W32/Mydoom virus family. Email addresses are sampled from files having these extensions -

• adb
• tbb
• dbx
• asp
• php
• sht
• htm
  

The captured addresses are used as targets for the mailing routine. As with other viruses using this technique, the virus will avoid selecting email addresses containing certain strings, such as these -

• .edu
• .gov
• .mil
• abuse
• accoun
• acketst
• admin
• anyone
• arin.
• be_loyal:
• berkeley
• borlan
• bsd
• bugs
• ca
• certific
• contact
• example
• fcnz
• feste
• fido
• foo.
• fsf.
• gnu
• gold-certs
• google
• gov.
• help
• iana
• ibm.com
• icrosof
• icrosoft
• ietf
• info
• inpris
• isc.o
• isi.e
• kernel
• linux
• listserv
• math
• me
• mit.e
• mozilla
• mydomai
• no
• nobody
• nodomai
• noone
• not
• nothing
• ntivi
• page
• panda
• pgp
• postmaster
• privacy
• rating
• rfc-ed
• ripe.
• ruslis
• samples
• secur
• sendmail
• service
• site
• soft
• somebody
• someone
• sopho
• spm
• submit
• support
• syma
• tanford.e
• the.bat
• unix
• unix
• usenet
• utgers.ed
• webmaster
• www
• you
• your
  

The virus carries hard-coded message bodies and sends email with varying body text. The possible body text are selected from these choices -

• Mail transaction failed. Partial message is available.
  
• The message contains Unicode characters and has been sent as a binary attachment.
  
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  
• The original message was included as an attachment.
  
• Here are your banks documents.

The email attachment may have a .PIF, .EXE or .ZIP file extension.

Network spreading routine
The virus will first bind with a high TCP port such as 36276. The virus will spawn a thread that functions on this TCP port as an FTP server. The server responds with this detail, if connected to a logon instance -

220 StnyFtpd 0wns j0

When exiting the server, it responds with this string -

221 Goodbye happy r00ting.

Next, the virus will attempt to connect with systems on the same subnet as the infected system. The virus generates random IP addresses based on the infected system IP address using the basis A.B.undefined.undefined.
For example, if the infected system has an IP address of 192.168.29.56 [using network address translation, or NAT], the virus may try to connect with random addresses such as these -

• 192.168.1.71
• 192.168.113.2
• 192.168.44.50 and so on

The virus attempts to connect with the random system using TCP port 445. If a connection can be made, the virus uses an RPC exploit to gain access to the system. Once access is obtained, the virus generates an FTP script and writes it to the system with these instructions:

open undefinedIPundefined undefinedTCP portundefined
user hell rulez
binary
get bingoo.exe
quit

The virus then initiates FTP.EXE locally on the compromised system to retrieve a copy of the virus as "wtfhe.exe" from the connecting system, and execute it.

Backdoor functionality
The virus will create a thread that functions as a backdoor, using a high TCP port such as 10087 or 10153. The virus connects with the IRC server 'spm.slo-partija.info' in order to receive instructions from a malicious user. Instructions include some of the following -

.update
.raw
.exec
.dl
.rm
.quit
.su
.uptime
.login

HOSTS modification routine
This variant alters the local "HOSTS" file in an effort to block access to Antivirus and security related web addresses. The virus overwrites the "HOSTS" file with misconfigured information so that attempts to reach certain addresses resolve to the IP 127.0.0.1, also known as "localhost". Below is a copy of a modified HOSTS file -

127.0.0.1 www.trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com

Miscellaneous
The virus may also attempt a basic Denial of Service attack against Symantec by running multiple GET requests to the web address www.symantec.com. This attack is not likely to affect the server however.

Recommended Action

FortiGate systems:

• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option