Your essential free software toolbox

SHARE
THIS ON

Worm.MyTob.BE

MEDIUM

47104 Bytes

()

Symptoms

The presence of the file "%SYSTEM%\\beta.exe" with size of 47104 bytes, trying to connect to IRC server "irc.blackcarder.net" on port 7000.

Presense of registry key:

- HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WINDOWS SYSTEM = "beta.exe"
- HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\WINDOWS SYSTEM = "beta.exe"

Modified Hosts file ("%SYSTEM%\\drivers\\etc\\hosts"), which makes impossible visiting web sites related to security and antiviruses.

Termination of the security-related or monitoring proceses.

The presense of following mutexes:

- "S-P-Y-B"
- "X-B-T-3"

Removal instructions:

Please let BitDefender delete the worm.

Edit the file "%SYSTEM%\\drivers\\etc\\hosts" and delete all the lines begginig with:

"127.0.0.1" ,

except this one :

" 127.0.0.1 localhost" .

Analyzed By

Petrea Ruslan, virus researcher

Technical Description:

Once executed, the worm copies itself as "%SYSTEM%\\beta.exe" and creates the following registry keys in order to be executed at startup:

- HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WINDOWS SYSTEM = "beta.exe"
- HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\WINDOWS SYSTEM = "beta.exe"

The worm scans the local drives for files with extensions:

TXT, HTMB, SHTL, JSPL, CGIL, XMLS, PHPQ, ASPD, DBXN, TBBG, ADBH, PL, HTML, WAB,

and scans them for email addresses which will be used for spreading.

To send an email the worm tries to guess the SMTP server of the email's domain, using suffixes like:

mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.
gate.

(e.g. for somebody@somewhere.com it tries SMTP servers like mx.somewhere.com, mail.somewhere.com), or using the local user's SMTP server found in registry key

"HKCU\\Software\\Microsoft\\Internet Account Manager\\Accounts\\SMTP Server"

The mail's subject is one of following:

- *DETECTED* Online User Violation
- *WARNING* Your Email Account Will Be Closed
- [caracteres al azar]
- Account Alert
- Email Account Suspension
- Important Notification
- Notice of account limitation
- Notice: **Last Warning**
- Security measures
- Your Email Account is Suspended For Security Reasons
- *DETECTED* ONLINE USER VIOLATION
- *WARNING* YOUR EMAIL ACCOUNT WILL BE CLOSED
- ACCOUNT ALERT
- EMAIL ACCOUNT SUSPENSION
- IMPORTANT NOTIFICATION
- NOTICE OF ACCOUNT LIMITATION
- NOTICE: **LAST WARNING**
- SECURITY MEASURES
- YOUR EMAIL ACCOUNT IS SUSPENDED FOR SECURITY REASONS

The mail's body could be one of the following:

- The original message has been included as an attachment.
- We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
- We attached some important information regarding your account.
- Please read the attached document and follow it's instructions.
- We attached your account information.
- Please confirm the attached document!

The message also contains an attached file, with random name or with a name from the following list, with extensions "[doc/htm/txt] .[exe/scr/pif]"

- account-details
- document
- email-doc
- email-info
- INFO
- information
- info-text
- instructions

Also, the worm is an IRC bot, so it can recieve commands like download and execute any file from internet, including it's own updates, can send any local file, or system information.

The worm terminates a large list of processes that could detect or stop it, also it modifies the Windows hosts file to prevent the antivirus programs from updating.