My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Mytob.GZ.dam

MEDIUM
MEDIUM
> 46,5 KB
(Net-Worm.Win32.Mytob.t, W32.Mytob.AI@mm, W32/Mytob.BT@mm, W32/Mytob.G.worm, Worm W32/Mytob.GO)

Symptoms

 The presence of:
* the following 4 files having the same dimension:
    C:\FUNNY_PIC.SCR
    C:\MY_PHOTO2005.SCR
    C:\SEE_THIS!!.SCR
    %System%\JUSCHED32.EXE
* the file C:\HELLMSN.exe

and the inability to access security sites
    (due to the configuration of the hosts file %System%\DRIVERS\ETC\HOSTS)

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Boeriu Laura, Virus Researcher

Technical Description:

The malware copies itself to
     C:\FUNNY_PIC.SCR
     C:\MY_PHOTO2005.SCR
     C:\SEE_THIS!!.SCR
     %System%\JUSCHED32.EXE,

drops the backdoor C:\HELLMSN.exe (Backdoor.Faribot.A)

and sets the followings registry keys to "WINTASK DLL" = "jusched32.exe":
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
These registry keys are continously recreated by the malware, making their deletion useless as long as the malware is active.

    Win32.Worm.Mytob.GZ.dam uses its own SMTP engine to spread by sending itself to e-mail adresses found in files on the infected computer.
 
    It searches the Windows Address Book files in:
%Windir%\Temporary Internet Files
%Userprofile%\Local Settings\Temporary Internet Files
%System%
and all the adb, tbb, dbx, asp, php, sht, htm, pl files found on the computer.

It does not send itself to adresses containing:
abuse                   accoun
acketst                  admin
anyone                  arin
avp                         bugs
ca                           certific
contact                  example
feste                      fido
foo.                        fsf.
gnu                       gold-certs
google                 help
info                       linux
listserv                 me
no                         nobody
noone                  not
nothing                ntivi
page                    postmaster
privacy                 rating
root                      samples
service                site
soft                      somebody
someone           submit
support               unix
webmaster        you
There are also some domain names that the malware does not send mail to
     (examples: .edu, .gov, .mil, ibm.com, ...)

The body of the infected mail contains one of the following messages:
* Mail transaction failed. Partial message is available.
* The message contains Unicode characters and has been sent as a binary attachment.
* The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
* The original message was included as an attachment.
* Here are your banks documents.
The name of the attachment is composed by one of the words:
body
data
doc
document
file
message
readme
test
text
and one of the following extensions:
      cmd     bat     exe    scr    pif    zip


      Besides sending itself by e-mail messages, the malware peforms the following undesired actions:

*
Loads an FTP server that listens on a random TCP port.
* Blocks the access to some security sites by adding to the %System%\DRIVERS\ETC\HOSTS file the following lines:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
* Connects to an IRC channel and executes remote commands.