Win32.Worm.Mytob.GZ.dam( Net-Worm.Win32.Mytob.t, W32.Mytob.AI@mm, W32/Mytob.BT@mm, W32/Mytob.G.worm, Worm W32/Mytob.GO )
SYMPTOMS: The presence of:* the following 4 files having the same dimension: C:\FUNNY_PIC.SCR C:\MY_PHOTO2005.SCR C:\SEE_THIS!!.SCR %System%\JUSCHED32.EXE * the file C:\HELLMSN.exe and the inability to access security sites (due to the configuration of the hosts file %System%\DRIVERS\ETC\HOSTS) TECHNICAL DESCRIPTION: The malware copies itself toC:\FUNNY_PIC.SCR C:\MY_PHOTO2005.SCR C:\SEE_THIS!!.SCR %System%\JUSCHED32.EXE, drops the backdoor C:\HELLMSN.exe (Backdoor.Faribot.A) and sets the followings registry keys to "WINTASK DLL" = "jusched32.exe": HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunThese registry keys are continously recreated by the malware, making their deletion useless as long as the malware is active. Win32.Worm.Mytob.GZ.dam uses its own SMTP engine to spread by sending itself to e-mail adresses found in files on the infected computer. It searches the Windows Address Book files in: %Windir%\Temporary Internet Filesand all the adb, tbb, dbx, asp, php, sht, htm, pl files found on the computer. It does not send itself to adresses containing: abuse accounThere are also some domain names that the malware does not send mail to (examples: .edu, .gov, .mil, ibm.com, ...) The body of the infected mail contains one of the following messages: * Mail transaction failed. Partial message is available.The name of the attachment is composed by one of the words: bodyand one of the following extensions: cmd bat exe scr pif zip Besides sending itself by e-mail messages, the malware peforms the following undesired actions: * Loads an FTP server that listens on a random TCP port. * Blocks the access to some security sites by adding to the %System%\DRIVERS\ETC\HOSTS file the following lines: 127.0.0.1 www.symantec.com* Connects to an IRC channel and executes remote commands. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Boeriu Laura, Virus Researcher |
