Win32.Mytob.A (Ca.com)

Description Published: 2005. március 2.
Description Modified: 2005. március 3.

The information below provides details about this virus.

Threat Assessment

Wild:                   Low
Destructiveness: Medium
Pervasiveness:    High
Risk:                     Low

Characteristics

Type:                  Worm
Category:         Win32
Also known as:: Win32/Atak.Variant!Worm, W32/Mydoom.bg@MM (McAfee),
                           WORM_MYTOB.A (Trend), W32/Mytob.A@mm (F-Secure)
                           Net-Worm.Win32.Mytob.a (Kaspersky)

Description

Win32.Mytob.A is a worm that spreads via e-mail. The worm also acts as an IRC bot, allowing a controller unauthorized access to the infected machine, and further spreading by exploiting the LSASS buffer overflow vulnerability. It has been distributed as a 41,824 byte, FSG-packed Win32 executable.

Method of Infection
When executed, Mytob.A copies itself to ˝%System%msnmsgr.exe˝ and sets the following registry values in order to execute itself at each Windows start:

HKLMSoftwareMicrosoftWindowsCurrentVersionRunMSN = ˝msnmsgr.exe˝
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesMSN = ˝msnmsgr.exe˝
HKCUSoftwareMicrosoftWindowsCurrentVersionRunMSN = ˝msnmsgr.exe˝

The worm also creates a mutex called ˝D66˝ so that multiple copies of itself will not run at the same time.

Note: ´%System%´ is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:WinntSystem32; for 95,98 and ME is C:WindowsSystem; and for XP is C:WindowsSystem32.

The worm also adds these registry entries, which do nothing:

HKCUSoftwareMicrosoftOLEMSN = ˝msnmsgr.exe˝
HKCUSystemCurrentControlSetControlLsaMSN = ˝msnmsgr.exe˝

Method of Distribution
Via E-mail
Mytob.A is capable of spreading via e-mail. The worm sends e-mail with variable Subjects, Message bodies and attachments. The sender and recipient address may be partially spoofed; the domain is taken from the user´s and receiver´s address, but the username portion (i.e. the string before ˝@˝) is chosen from the following list:

adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

The worm obtains e-mail addresses to send itself to from the Windows Address book, and by searching the local hard drive for files with the following extensions:

wab
adb
tbb
dbx
asp
php
sht
htm

The worm avoids sending itself to e-mail addresses that contain the following strings in their names:

.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
be_loyal:
berkeley
borlan
bsd
bugs
certific
contact
example
fcnz
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
hotmail
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
mit.e
mozilla
msn.
mydomai
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
spm
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
www
you
your

The worm performs DNS MX (mail exchanger) queries to find an appropriate mail server for each domain it tries to send itself to. It performs these queries using the server that is configured as the default DNS server for the local system. If the worm cannot find a mail server, it tries to guess the user´s mail-server by pre-appending the following strings to the domain of the e-mail address:

mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.
gate.

Example: for tester@test.com, the worm tries ˝mx.test.com˝ or ˝mail.test.com˝.

E-mail sent by the worm can have one of the following subjects:

Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Hi
test

The e-mails can have one of the following Message bodies:

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

test

The worm may also send e-mail containing a blank message body or random strings.

The worm attaches itself using one of the following file names:

body
message
test
data
file
text
doc
readme
document

With any one of the following extensions:

bat
cmd
exe
scr
pif
zip

The worm may also attach itself as a ZIP file. The file inside the ZIP archive may have two extensions, the first chosen from the following list:

htm
txt
doc

The second extension is chosen from the following list and is seperated from the first extension by a number of spaces:

pif
scr
exe

example: attachment ˝test.zip˝ contains file ˝test.htm[many spaces].exe˝

Below are some examples of e-mail sent by the worm:

Via Exploit
Mytob.A generates random IP addresses and attempts to connect to port 445 of the target IP in order to exploit the LSASS buffer overflow vulnerability (MS04-011). If the vulnerability exploit is successful, the worm downloads a copy of the worm from the original machine. Please visit our Vulnerabilities Encyclopedia for further detail http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?id=27886

Payload

Backdoor Functionality
The worm can be used as an IRC controlled backdoor, allowing a remote user to gain unauthorized access to the infected machine. The worm connects to a particular IRC Server and joins a channel. It then waits for instructions from the channel. The worm can be instructed to perform the following actions on the affected machine:

Download files
Download worm updates
Execute files
Provide information about the worm variant
Remove files
Analysis by Amir Fouda