Net-Worm.Win32.Mytob.dam

From Total Malware Info

Jump to: navigation, search

Network worm that infects Windows executable files. It is Windows PE-EXE file. Worm’s executable is 258 048 bytes in size. Worm spreads its copies using vulnerability in LSASS service (MS04-011). Also worm spreads via internet in attachments of infected email messages.

Contents

Installation

When launched, worm copies itself to system directory with the following name: 

%System%\iexplorer.exe

Then creates the following registry entries: 

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
drvsyskit=%System%\drivers\hidr.exe

So the worm executable would now be launched automatically every time the windows starts.

Propagation using LSASS-vulnerability

Worm gets the list of IP addresses of computers located in the Network Neightbourhood and launches the attack on those addresses that uses buffer overflow vulnerability in LSASS system service. Worm sends specially crafted packet on 445 TCP port of victim’s machine to create buffer overflow and execute special loader, that uses system utility ftp.exe to download main worm file from FTP server running by the worm on infected machine and execute it.

Propagation via email

Worm searches for email addresses in files with the following extensions: 

wab
pl
adb
tbb
dbx
asp
php
sht
htm

on all logical disks. Worm ignores addresses, that contains following strings: 

accoun
certific
listserv
ntivi
support
icrosoft
admin
page
the.bat
gold-certs
ca
feste
submit
not
help
service
privacy
somebody
no
soft
contact
site
rating
bugs
me
you
your
someone
anyone
nothing
nobody
noone
webmaster
postmaster
samples
info
root
be_loyal
mozilla
utgers.ed
tanford.e
pgp
acketst
secur
isc.o
isi.e
ripe.
arin.
Sendmail
rfc-ed
ietf
iana
usenet
fido
linux
kernel
google
ibm.com
fsf.
gnu
mit.e
bsd
math
unix
berkeley
foo.
.mil
gov.
.gov
ruslis
nodomai
mydomai
example
inpris
borlan
sopho
panda
icrosof
syma
avp
abuse
www
fcnz
spm
.edu

While sending emails, worm tries to establish direct connection to SMTP servers, addresses of servers are formed from domain names extracted from email addresses and one of the folowing prefixes: 

gate.
ns.
relay.
mail1.
mxs.
mx1.
smtp.
mail.
mx.

Characteristics of infected letters

The sender names contain one of the following cases: 

lolita
britney
bush
linda
julie
jimmy
jerry
helen
debby
claudia
brenda
anna
madmax
brent
adam
ted
fred
jack
bill
stan
smith
steve
matt
dave
dan
joe
jane
bob
robert
peter
tom
ray
mary
serg
brian
jim
maria
leo
jose
andrew
sam
george
david
kevin
mike
james
michael
alex
john

Subject of the letters may contain one of the following strings: 

Error 
hello 
hi 
Mail Delivery System 
Mail Transaction Failed 
Server Report 
Status 
Test

Body of the letters may contain one of the following cases:

  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The original message was included as an attachment.
  • Here are your banks documents.

Attachment file name consist of the following name: 

body 
data 
doc 
document 
file 
message 
readme 
test 
text

and one of the extensions: 

bat 
cmd 
doc 
exe 
htm 
pif 
scr 
tmp 
txt 
zip

Payload

Worm adds to the contents of the file "%System%\drivers\etc\hosts" following text and in such way blocks access to those sites and disables computer’s anti-virus protection 

127.0.0.1	www.trendmicro.com
127.0.0.1	www.microsoft.com
127.0.0.1	trendmicro.com
127.0.0.1	rads.mcafee.com
127.0.0.1	customer.symantec.com
127.0.0.1	liveupdate.symantec.com
127.0.0.1	us.mcafee.com
127.0.0.1	updates.symantec.com
127.0.0.1	update.symantec.com
127.0.0.1	www.nai.com
127.0.0.1	nai.com
127.0.0.1	secure.nai.com
127.0.0.1	dispatch.mcafee.com
127.0.0.1	download.mcafee.com
127.0.0.1	www.my-etrust.com
127.0.0.1	my-etrust.com
127.0.0.1	mast.mcafee.com
127.0.0.1	ca.com
127.0.0.1	www.ca.com
127.0.0.1	networkassociates.com
127.0.0.1	www.networkassociates.com
127.0.0.1	avp.com
127.0.0.1	www.kaspersky.com
127.0.0.1	www.avp.com
127.0.0.1	kaspersky.com
127.0.0.1	www.f-secure.com
127.0.0.1	f-secure.com
127.0.0.1	viruslist.com
127.0.0.1	www.viruslist.com
127.0.0.1	liveupdate.symantecliveupdate.com
127.0.0.1	mcafee.com
127.0.0.1	www.mcafee.com
127.0.0.1	sophos.com
127.0.0.1	www.sophos.com
127.0.0.1	symantec.com
127.0.0.1	securityresponse.symantec.com
127.0.0.1	www.symantec.com

Opens 6667 TCP port on infected machine and launches IRC server on it. Malefactor can connect to worm’s IRC server, join channel named “#hellbot” and by sending control commands to user with nick “.r0b0t.” can gain full access to victim machine.

Removal instructions

  1. Terminate worm process.
  2. Remove the following registry entries: 
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
[HKCU\Software\Microsoft\OLE]
"WINTASK"="iexplorer.exe""
  3. Delete following file: %System%\iexplorer.exe
  4. Restore contents of the following file: %System%\drivers\etc\hosts usually contains string: 
     127.0.0.1	localhost
Retrieved from "http://www.totalmalwareinfo.com/eng/Net-Worm.Win32.Mytob.dam"
Language
Video Tutorials
Computer and Internet Security Video Tutorials
© 2011 "Design and Test Lab", LLC. All rights reserved.