W32.Mytob.C@mm

Printer Friendly Page

Discovered: February 28, 2005
Updated: March 01, 2005 6:39:29 AM
Systems Affected: Windows

W32.Mytob.C@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it gathers from the Windows Address Book on the compromised computer. The worm also has the ability to open a back door and spread through the network by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108).

Discovered: February 28, 2005
Updated: March 01, 2005 6:39:29 AM
Systems Affected: Windows

This threat as been renamed from W32.Mydoom.BG@mm to W32.Mytob.C@mm.

W32.Mytob.C@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it gathers from the Windows Address Book on the compromised computer. The worm also has the ability to open a back door and to spread through the network by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108).

Once executed, the worm creates the following copy of itself:
%System%\wfdmgr.exe

The worm creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"LSA" = "wfdmgr.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"LSA" = "wfdmgr.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"LSA" = "wfdmgr.exe"
HKEY_CURRENT_USER\Software\Microsoft\OLE\"LSA" = "wfdmgr.exe"
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\"LSA" = "wfdmgr.exe"

It has been reported that the worm also creates the following registry entries to ensure that the worm runs every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\"LSA" = "wfdmgr.exe" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\"LSA" = "wfdmgr.exe"

The worm gathers email addresses from the Windows Address Book and from files with the following extensions:
.wab
.adb
.tbb
.dbx
.asp
.php
.sht
.htm
.pl

The worm will not send itself to email addresses that contain any of the following strings:
-._!
-._!@
.edu
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
be_loyal:
berkeley
borlan
bsd
bugs
ca
certific
contact
example
spam
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
hotmail
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
msn.
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
spm
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
www
you
your

The worm may also add one of the following names to domain names gathered from the compromised computer to generate email addresses:
adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

The worm may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
gate.
ns.
relay.
mail1.
mxs.
mx1.
smtp.
mail.
mx.

The worm then uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following properties:

From: Spoofed

Subject:
One of the following:
hello
hi
Error
Status
Mail Transaction Failed
Mail Delivery System
Server Report
(No Subject)
(random alphabets)


Message Body:
One of the following:
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

test

The message contains Unicode characters and has been sent as a binary attachment.

(No body)

(Random data)

Attachment:
The attachment may contain one of the following:
body
data
doc
document
file
message
readme
test
text
(random alphabets)

with one of the following extensions:
.bat
.cmd
.exe
.pif
.scr
.zip

If the attachment is a .zip file, the copy of the worm may have one of the following second extensions:
.doc
.txt
.htm
.html

Next, the worm will connect to an IRC channel on the irc.blackcarder.net domain on port TCP port 6667 and listen for commands that allow the remote attacker to perform the following actions:
Download files
Execute files
Delete files
Update itself
Get uptime information

The worm may then scan for vulnerable computers and try to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108).