W32/Mytob.H@mm
Analysis
- Copies itself to the System folder as scvhost.exe.
Autostart Mechanism
- Adds the following value:
SVCHOST = "scvhost.exe"
to the following registry values:HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Email Propagation
- Gathers email addresses from the Microsoft Windows Address Book and from files having the following extensions:
- wab
- adb
- tbb
- dbx
- asp
- php
- sht
- htm
- Avoids sending emails to addresses that contain any of the following strings:
- accoun
- certific
- listserv
- ntivi
- support
- icrosoft
- admin
- page
- the.bat
- gold-certs
- feste
- submit
- not
- help
- service
- privacy
- somebody
- soft
- contact
- site
- rating
- bugs
- you
- your
- someone
- anyone
- nothing
- nobody
- noone
- webmaster
- postmaster
- samples
- info
- root
Also avoided are email addresses having the following domain names:
- mozilla
- utgers.ed
- tanford.e
- pgp
- acketst
- secur
- isc.o
- isi.e
- ripe.
- arin.
- sendmail
- rfc-ed
- ietf
- iana
- usenet
- fido
- linux
- kernel
- ibm.com
- fsf.
- gnu
- mit.e
- bsd
- math
- unix
- berkeley
- foo.
- .mil
- gov.
- .gov
- ruslis
- nodomai
- mydomai
- example
- inpris
- borlan
- sopho
- panda
- icrosof
- syma
- avp
- .edu
- Searches for SMTP servers by prepending the following strings to domain names that it finds:
- gate.
- ns.
- relay.
- mail1.
- mxs.
- mx1.
- smtp.
- mail.
- mx.
- Uses its own SMTP engine to send itself to email addresses that it finds.
- The email has the following format:
From: one of the following:
- sandra
- lolita
- britney
- bush
- linda
- julie
- jimmy
- jerry
- helen
- debby
- claudia
- brenda
- anna
- madmax
- brent
- adam
- ted
- fred
- jack
- bill
- stan
- smith
- steve
- matt
- dave
- dan
- joe
- jane
- bob
- robert
- peter
- tom
- ray
- mary
- serg
- brian
- jim
- maria
- leo
- jose
- andrew
- sam
- george
- david
- kevin
- mike
- james
- michael
- alex
- john
Subject: may be blank, a random combination of characters, or any of the following:
- Good day
- hello
- Mail Delivery System
- Mail Transaction Failed
- Server Report
- Status
- Error
Message Body: may be blank, a random combination of characters, or any of the following:
- Mail transaction failed. Partial message is available.
- The message contains Unicode characters and has been sent as a binary attachment.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- The original message was included as an attachment.
- Here are your banks documents.
Attachment: [Filename].[Extension][Filename] may be a random combination of characters, or one of the following:
- document
- readme
- doc
- text
- file
- data
- test
- message
- body
[Extension] can be any of the following:
- bat
- cmd
- exe
- pif
- scr
- zip
- doc
- txt
- htm
- tmp
Network Propagation
- Attempts to spread by exploiting the Local Security Authority Subsystem Service (LSASS) Vulnerability.
Backdoor and/or Trojan Behavior
- Connects to the Internet Relay Chat (IRC) server irc.blackcarder.net to await instructions and commands from a remote user.
- Opens a random port and sets itself up as an FTP server.
- Prevents the infected system from connecting to update servers and various other security related web pages by adding the following to the local HOSTS file:
127.0.0.1 www.trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Patch
- Download and install the patch for the Local Security Authority Subsystem Service (LSASS) Vulnerability at http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |