Virus

W32/MyTob.K@mm

Analysis

  • Drops the following files:
    • C:\funny_pic.scr
    • C:\see_this!!.scr
    • C:\my_photo2005.scr
    • undefinedSYSTEMundefined\msgmr.exe
  • Creates a mutex named H-E-L-L-B-O-T  to make sure that only one instance is running.
  • Adds the following registry:
    • key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: Win TaskLoader
    • data: msgmr.exe
    • key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    • value: Win TaskLoader
    • data: msgmr.exe
    • key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: Win TaskLoader
    • data: msgmr.exe
    • key: HKCUSoftware\Microsoft\OLE
    • value: Win TaskLoader
    • data: msgmr.exe
    • key: HKCU\SYSTEM\CurrentControlSet\Control\Lsa
    • value: Win TaskLoader
    • data: msgmr.exe
    Email Propagation
  • Gathers email addresses from files having the following extensions:
    • adb
    • wab
    • tbb
    • dbx
    • htm
    • html
    • sht
    • php
    • asp
    • aspx
  • Avoids sending emails to addresses that contain any of the following strings:
    • .gov
    • .mil
    • borlan
    • example
    • inpris
    • microsof
    • sopho
  • Uses its own SMTP engine to send itself to email addresses that it finds.

  • Email format:

  • Subject: one of the following:
    • [No Subject]
    • [random letters]
    • Error
    • Good day
    • hello
    • Mail Delivery System
    • Mail Transaction Failed
    • Server Report
    • Status
    Message Body: one of the following:
    • [Random data]
    • Here are your banks documents.
    • Mail transaction failed. Partial message is available.
    • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
    • The message contains Unicode characters and has been sent as a binary attachment.
    • The original message was included as an attachments.
    Attachment: one of the following:
    • [random letters]
    • body
    • data
    • doc
    • document
    • file
    • message
    • readme
    • test
    • text

    Network Propagation
  • Propagates by exploiting the Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability.
    Backdoor and/or Trojan Behavior
  • Opens an FTP server on TCP port 65003.

  • Connect to the IRC server d66.myleftnut.info  on TCP port 4367, joins channel #d66, and waits for commands that allow the remote attacker to perform any of the following actions:
    • Execute files
    • Download files
    • Restart system
    • Perform various other IRC commands
  • Prevents the infected system from connecting to update servers and various other security related web pages by modifying the local HOSTS file.

  • Recommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      Patch
    • Download and install the following patch:Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx