W32.Mytob.AN@mm

Printer Friendly Page

Discovered: April 11, 2005
Updated: April 11, 2005 6:53:52 AM
Systems Affected: Windows

W32.Mytob.AN@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm spreads through the network by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108).

Discovered: April 11, 2005
Updated: April 11, 2005 6:53:52 AM
Systems Affected: Windows

W32.Mytob.AN@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm spreads through the network by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108).

Once executed, the worm copies itself as the following:
%System%\taskgmgr.exe
%System%\bingoo.exe
C:\see_this!!.scr
C:\my_photo2005.scr

The worm then drops the following file:
C:\hellmsn.exe

The worm creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WINMGR" = "taskgmgr.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"WINMGR" = "taskgmgr.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WINMGR" = "taskgmgr.exe"
HKEY_CURRENT_USER\Software\Microsoft\OLE\"WINMGR" = "taskgmgr.exe"
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\"WINMGR" = "taskgmgr.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\"WINMGR" = "taskgmgr.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"WINMGR" = "taskgmgr.exe"

The worm continually recreates these registry keys if they are deleted.

The worm creates the following mutex so that only one instance of the worm is run on the compromised computer:
H-E-L-L-B-O-T

The worm gathers email addresses from the Windows Address Book and from the following locations:
%Windir%\Temporary Internet Files
%Userprofile%\Local Settings\Temporary Internet Files
%System%

The worm gathers email addresses from files with the following extensions on all local drives from C to Y:
.txt
.htm*
.sht*
.php*
.asp*
.dbx*
.tbb*
.adb*
.wab

The worm will not send itself to email addresses that contain any of the following strings:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
bugs
rating
site
contact
soft
somebody
privacy
service
help
not
submit
feste
gold-certs
the.bat
page
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
spm
spam
www
secur
abuse

The worm will not send itself to email addresses that contain any of the following strings as part of domain names:
avp
syma
icrosof
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla

The worm may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.
gate.

The worm then uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From:
From address is spoofed and is one of the following:
john
john
alex
michael
james
mike
kevin
david
george
sam
andrew
jose
leo
maria
jim
brian
serg
mary
ray
tom
peter
robert
bob
jane
joe
dan
dave
matt
steve
smith
stan
bill
bob
jack
fred
ted
adam
brent
madmax
anna
brenda
claudia
debby
helen
jerry
jimmy
julie
linda
bush
britney
lolita
sandra

with one of the following domains:
aol.com
msn.com
yahoo.com
juno.com
fbi.gov
cia.gov
hotmail.com

The worm may also spoof an address from one of those found on the computer

Subject:
One of the following:
Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message:
One of the following:

Here are your banks documents.

The original message was included as an attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The message contains Unicode characters and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

Attachment:
One of the following:
document
readme
doc
text
file
data
test
message
body

with one of the following as extension:
.pif
.scr
.exe
.cmd
.bat

The worm may also send a zip copy of itself. The zipped file will have .doc, .htm, or .txt as the first extension name and .exe, .pif, or .scr as the second extension name.

The worm will connect to an IRC channel on h3ll.m1rr0r.net and h3llz.m1rr0r.net domain on TCP port 10087 and listen for commands that allow the remote attacker to perform any of the following actions:
Download and execute files
Perform other IRC commands determined by the attacker
Reboot the compromised computer

The worm scans for vulnerable computers and try to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108).

The worm blocks access to several security-related Web sites by appending the following text to the Hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com