My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.MyTob.CX

MEDIUM
MEDIUM
26156 bytes
(Net-Worm.Win32.Mytob.bi, W32/Mytob-FR, W32.Mytob.MC@mm, Win32/Mytob.KV@mm, W32/Mytob.hb@MM)

Symptoms

 - presence of the file windbg32.exe in the %SYSTEM% folder (usually C:\\WINDOWS\\SYSTEM32)
 - presence of a string value named WINDOWS Debugger and set to windbg32.exe in the following registry keys:
     HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
     HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices

Removal instructions:

 - terminate the %SYSTEM%\\windbg32.exe process and delete the file
 - delete the following registry values:
     HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WINDOWS Debugger
     HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\WINDOWS Debugger
 - re-enable the Windows Firewall/Internet Connection Sharing (ICS) service (either using the Control Panel/Administrative tools/Services applet, or by setting the registry value HKLM\\SYSTEM\\ControlSet001\\Services\\SharedAccess\\Start to 2)

Analyzed By

Vlad Ioan Topan, virus researcher

Technical Description:

This is a mass-mailing worm and backdoor. The backdoor can be controlled through the IRC (Internet Relay Chat) protocol and allows remote attackers to take control of the infected computer.

On it's first run, the worm creates a copy of itself called windbg32.exe in the %SYSTEM% folder (usually C:\\WINDOWS\\SYSTEM32). It then runs the newly created file, and the old instance ends execution.

The worm starts by creating a mutex named iPod to make sure only one instance of itself is running.
Periodically it creates registry entries to ensure it is run at system start up: the string value WINDOWS Debugger set to windbg32.exe is created in the following keys: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices.
It also sets the registry value HKLM\\SYSTEM\\ControlSet001\\Services\\SharedAccess\\Start to 4, which disables the Windows Firewall/Internet Connection Sharing (ICS) service.

It then proceeds to harvest e-mail addresses from the victim's computer, ignoring e-mails that contain certain substrings.
The worm has it's own SMTP engine, which it uses to send e-mails to the collected addresses. The e-mails contain the worm as an attachment. The file extension of the attachment is a fake .doc, .htm or .txt, followed by blanks, and then by a real executable extension (.exe, .scr or .pif).

The Sender field is spoofed; the subject is one of the following:

*IMPORTANT* Winnings notification
Claim your free prize
Free Account Signup
Free Prize.
Important Notification
Notice of prize winnings
Retrive You Free iPod Nano!
SENDING FREE IPOD MEASURES
Your Account is a winner
YourFreeiPod Support


The e-mail body is one of the following patterns:

Dear user [random],
You have been picked to receive a free prize!
Check the attachment in this email for claiming your prize.
Thank you
The YourFreeiPod Team


+++ Attachment: No Virus (Clean)
+++ [random] Antivirus - www.[random]

Dear user [random],
It has come to our attention that your one of five winners this month from YourFreeiPod.com
Please see the attachment in the email for further details.
Thank you for using YourFreeiPod.com!
The YourFreeiPod Team


+++ Attachment: No Virus (Clean)
+++ [random] Antivirus - www.[random]


Dear [random] Member,
Please claim your free iPod Movie mediaplayer
Us here at YourFreeiPod.com like to treat our members so we give away a free iPod every month.
Attached to this email is the details on how you can claim your prize
Sincerely,The YourFreeiPod Team


+++ Attachment: No Virus (Clean)
+++ [random] Antivirus - www.[random]

Dear [random] Member,
Your e-mail account was picked from an online site www.YourFreeiPod.com. Since we did pull your name from the hat you are intitled to receive FREE 4GB Black iPod Nano.
Please read the attachment in this email for further instructions. If you choose to ignore our request, you leave us no choice but to forfeit your winnings.
Virtually yours,
The YourFreeiPod Team


+++ Attachment: No Virus found Scanned with Nod32
+++ [random] Antivirus - www.[random]

The [random] field is chosen in each case from lists of predefined values.