| Malware name | Worm.Mytob.HT | | Type | Worm | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | E1FB8181D12248F0B633FCDDA38141F9 | | Static file | yes | | Filesize | 66,937 Bytes | | Wildlist entry | yes | Alias names
(also known as) | | Webwasher Proactive | Win32.Malware.gen | | Sophos | W32/Mytob-KD | | McAfee | W32/Mytob.gen@MM | | CA ETrust | Win32/Mytob.NR |
| | Protection | | Webwasher Proactive | Database Version: 63 |
| | Side effects | - Blocks access to certain websites
- Blocks access to security websites
- Drops malicious files
- Uses its own Email engine
- Lowers security settings
- Registry modification
- Third party control
| | Propagation | Email |
|
Description:
Files
It copies itself to the following location:
• %SYSDIR%\ctech.exe
It overwrites a file.
– %SYSDIR%\drivers\etc\hosts
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
• "WINDOWS SYSTEM"="ctech.exe"
One of the following values is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "WINDOWS SYSTEM"="ctech.exe"
The following registry key is changed:
Deactivate Windows XP Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
New value:
• "Start"=dword:0x00000004
Email
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
From: The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.
To: – Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Generated addresses
Subject: One of the following:
• *DETECTED* Online User Violation
• Important Notification
• Notice of account limitation
• Warning Message: Your services near to be closed.
• You have successfully updated your password
• YOUR ACCOUNT IS SUSPENDED FOR SECURITY REASONS
• Your password has been successfully updated
• Your password has been updated
Body: – Contains HTML code.
The body of the email is one of the following:
•
Dear user %s, You have successfully updated the password of your %s account.
If you did not authorize this change or if you need assistance with your account, please contact %s customer service at: %s
Thank you for using %s!
The %s Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.%s
•
Dear user %s, It has come to our attention that your %s User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using %s!
The %s Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.%s
•
Dear %s Member, We have temporarily suspended your email account %s.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your %s account.
Sincerely,The %s Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.%s
•
Dear %s Member, Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The %s Support Team
+++ Attachment: No Virus found
+++ %s Antivirus - www.%s
Attachment: The filename of the attachment is constructed out of the following:
– It starts with one of the following:
• important-details
• accepted-password
• account-details
• account-info
• account-password
• account-report
• document
• email-details
• email-password
• updated-password
• new-password
• approved-password
• password
• readme
The file extension is one of the following:
• zip
• pif
• scr
• exe
• cmd
• bat
The attachment is a copy of the malware itself.
Mailing
Search addresses: It searches the following files for email addresses:
• txt; htm; sht; jsp; cgi; xml; php; dbx; tbb; adb; html; wab
Address generation for TO field: To generate addresses it uses the following strings:
• john; josh; alex; michael; james; mike; kevin; david; george; sam;
andrew; jose; leo; maria; jim; brian; serg; mary; ray; tom; peter;
robert; bob; jane; joe; dan; dave; matt; steve; smith; stan; bill;
bob; jack; fred; ted; paul; brent; sales; anna; brenda; claudia;
debby; helen; jerry; jimmy; julie; linda; michael; frank; adam; sandra
It combines the result with domains that were found in files, which were previously searched for addresses.
Address generation for FROM field: To generate addresses it uses the following strings:
• support
• administrator
• mail
• service
• admin
• info
• register
• webmaster
It combines the result with domains that were found in files, which were previously searched for addresses.
Prepend MX strings: In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
• mx
• mail
• smtp
• mx1
• mxs
• mail1
• relay
• ns
• gate
IRC
To deliver system information and to provide remote control it connects to the following IRC Server:
Server: server.ic**********.com
Port: 5190
Channel: #*legit
Nickname: [XDCC]-
%random character string% Password: legitshit
– This malware has the ability to collect and send information such as:
• Free disk space
• Free memory
• Malware uptime
• Size of memory
• Information about the Windows operating system
– Furthermore it has the ability to perform actions such as:
• Download file
• Join IRC channel
• Leave IRC channel
• Updates itself
• Visit a website
Hosts
The host file is modified as explained:
– In this case already existing entries remain unmodified.
– Access to the following domains is effectively blocked:
• 127.0.0.1 www.symantec.com; 127.0.0.1 securityresponse.symantec.com;
127.0.0.1 symantec.com; 127.0.0.1 www.sophos.com;
127.0.0.1 sophos.com; 127.0.0.1 www.mcafee.com; 127.0.0.1 mcafee.com;
127.0.0.1 liveupdate.symantecliveupdate.com;
127.0.0.1 www.viruslist.com; 127.0.0.1 viruslist.com;
127.0.0.1 viruslist.com; 127.0.0.1 f-secure.com;
127.0.0.1 www.f-secure.com; 127.0.0.1 kaspersky.com;
127.0.0.1 kaspersky-labs.com; 127.0.0.1 www.avp.com;
127.0.0.1 www.kaspersky.com; 127.0.0.1 avp.com;
127.0.0.1 www.networkassociates.com; 127.0.0.1 networkassociates.com;
127.0.0.1 www.ca.com; 127.0.0.1 ca.com; 127.0.0.1 mast.mcafee.com;
127.0.0.1 my-etrust.com; 127.0.0.1 www.my-etrust.com;
127.0.0.1 download.mcafee.com; 127.0.0.1 dispatch.mcafee.com;
127.0.0.1 secure.nai.com; 127.0.0.1 nai.com; 127.0.0.1 www.nai.com;
127.0.0.1 update.symantec.com; 127.0.0.1 updates.symantec.com;
127.0.0.1 us.mcafee.com; 127.0.0.1 liveupdate.symantec.com;
127.0.0.1 customer.symantec.com; 127.0.0.1 rads.mcafee.com;
127.0.0.1 trendmicro.com; 127.0.0.1 pandasoftware.com;
127.0.0.1 www.pandasoftware.com; 127.0.0.1 www.trendmicro.com;
127.0.0.1 www.grisoft.com; 127.0.0.1 www.microsoft.com;
127.0.0.1 microsoft.com; 127.0.0.1 www.virustotal.com;
127.0.0.1 virustotal.com; 127.0.0.1 www.amazon.com;
127.0.0.1 www.amazon.co.uk; 127.0.0.1 www.amazon.ca;
127.0.0.1 www.amazon.fr; 127.0.0.1 www.paypal.com;
127.0.0.1 paypal.com; 127.0.0.1 moneybookers.com;
127.0.0.1 www.moneybookers.com; 127.0.0.1 www.ebay.com;
127.0.0.1 ebay.com
Process termination
The active processes memory is searched for the following strings. If successful the processes become terminated.:
• ACKWIN32.EXE; ADAWARE.EXE; ADVXDWIN.EXE; AGENTSVR.EXE; AGENTW.EXE;
ALERTSVC.EXE; ALEVIR.EXE; ALOGSERV.EXE; AMON9X.EXE; ANTI-TROJAN.EXE;
ANTIVIRUS.EXE; ANTS.EXE; APIMONITOR.EXE; APLICA32.EXE; APVXDWIN.EXE;
ARR.EXE; ATCON.EXE; ATGUARD.EXE; ATRO55EN.EXE; ATUPDATER.EXE;
ATUPDATER.EXE; ATWATCH.EXE; AU.EXE; AUPDATE.EXE; AUPDATE.EXE;
AUTODOWN.EXE; AUTODOWN.EXE; AUTOTRACE.EXE; AUTOTRACE.EXE;
AUTOUPDATE.EXE; AUTOUPDATE.EXE; AVCONSOL.EXE; AVE32.EXE; AVGCC32.EXE;
AVGCTRL.EXE; AVGNT.EXE; AVGSERV.EXE; AVGSERV9.EXE; AVGUARD.EXE;
AVGW.EXE; AVKPOP.EXE; AVKSERV.EXE; AVKSERVICE.EXE; AVKWCTl9.EXE;
AVLTMAIN.EXE; AVNT.EXE; AVP.EXE; AVP32.EXE; AVPCC.EXE; AVPDOS32.EXE;
AVPM.EXE; AVPTC32.EXE; AVPUPD.EXE; AVPUPD.EXE; AVSCHED32.EXE;
AVSYNMGR.EXE; AVWINNT.EXE; AVWUPD.EXE; AVWUPD32.EXE; AVWUPD32.EXE;
AVWUPSRV.EXE; AVXMONITOR9X.EXE; AVXMONITORNT.EXE; AVXQUAR.EXE;
AVXQUAR.EXE; BACKWEB.EXE; BARGAINS.EXE; BD_PROFESSIONAL.EXE;
BEAGLE.EXE; BELT.EXE; BIDEF.EXE; BIDSERVER.EXE; BIPCP.EXE;
BIPCPEVALSETUP.EXE; BISP.EXE; BLACKD.EXE; BLACKICE.EXE; BLSS.EXE;
BOOTCONF.EXE; BOOTWARN.EXE; BORG2.EXE; BPC.EXE; BRASIL.EXE; BS120.EXE;
BUNDLE.EXE; BVT.EXE; CCAPP.EXE; CCEVTMGR.EXE; CCPXYSVC.EXE; CDP.EXE;
CFD.EXE; CFGWIZ.EXE; CFIADMIN.EXE; CFIAUDIT.EXE; CFIAUDIT.EXE;
CFINET.EXE; CFINET32.EXE; CLEAN.EXE; CLEANER.EXE; CLEANER3.EXE;
CLEANPC.EXE; CLICK.EXE; CMD32.EXE; CMESYS.EXE; CMGRDIAN.EXE;
CMON016.EXE; CONNECTIONMONITOR.EXE; CPD.EXE; CPF9X206.EXE;
CPFNT206.EXE; CTRL.EXE; CV.EXE; CWNB181.EXE; CWNTDWMO.EXE;
CLAW95CF.EXE; DATEMANAGER.EXE; DCOMX.EXE; DEFALERT.EXE;
DEFSCANGUI.EXE; DEFWATCH.EXE; DEPUTY.EXE; DIVX.EXE; DLLCACHE.EXE;
DLLREG.EXE; DOORS.EXE; DPF.EXE; DPFSETUP.EXE; DPPS2.EXE; DRWATSON.EXE;
DRWEB32.EXE; DRWEBUPW.EXE; DSSAGENT.EXE; DVP95.EXE; DVP95_0.EXE;
ECENGINE.EXE; EFPEADM.EXE; EMSW.EXE; ENT.EXE; ESAFE.EXE; ESCANHNT.EXE;
ESCANV95.EXE; ESPWATCH.EXE; ETHEREAL.EXE; ETRUSTCIPE.EXE; EVPN.EXE;
EXANTIVIRUS-CNET.EXE; EXE.AVXW.EXE; EXPERT.EXE; EXPLORE.EXE;
F-PROT.EXE; F-PROT95.EXE; F-STOPW.EXE; FAMEH32.EXE; FAST.EXE;
FCH32.EXE; FIH32.EXE; FINDVIRU.EXE; FIREWALL.EXE; FNRB32.EXE;
FP-WIN.EXE; FP-WIN_TRIAL.EXE; FPROT.EXE; FRW.EXE; FSAA.EXE; FSAV.EXE;
FSAV32.EXE; FSAV530STBYB.EXE; FSAV530WTBYB.EXE; FSAV95.EXE;
FSGK32.EXE; FSM32.EXE; FSMA32.EXE; FSMB32.EXE; GATOR.EXE; GBMENU.EXE;
GBPOLL.EXE; GENERICS.EXE; GMT.EXE; GUARD.EXE; GUARDDOG.EXE;
HACKTRACERSETUP.EXE; HBINST.EXE; HBSRV.EXE; HOTACTIO.EXE;
HOTPATCH.EXE; HTLOG.EXE; HTPATCH.EXE; HWPE.EXE; HXDL.EXE; HXIUL.EXE;
IAMAPP.EXE; IAMSERV.EXE; IAMSTATS.EXE; IBMASN.EXE; IBMAVSP.EXE;
ICLOADNT.EXE; ICMON.EXE; ICSUPP95.EXE; ICSUPPNT.EXE; IDLE.EXE;
IEDLL.EXE; IEDRIVER.EXE; IEXPLORER.EXE; IFACE.EXE; IFW2000.EXE;
INETLNFO.EXE; INFUS.EXE; INFWIN.EXE; INIT.EXE; INTDEL.EXE; INTREN.EXE;
IOMON98.EXE; ISTSVC.EXE; JAMMER.EXE; JDBGMRG.EXE; JEDI.EXE;
KAVLITE40ENG.EXE; KAVPERS40ENG.EXE; KAVPF.EXE; KAZZA.EXE;
KEENVALUE.EXE; KERIO-PF-213-EN-WIN.EXE; KERIO-WRL-421-EN-WIN.EXE;
KERIO-WRP-421-EN-WIN.EXE; KERNEL32.EXE; KILLPROCESSSETUP161.EXE;
LAUNCHER.EXE; LDNETMON.EXE; LDPRO.EXE; LDPROMENU.EXE; LDSCAN.EXE;
LNETINFO.EXE; LOADER.EXE; LOCALNET.EXE; LOCKDOWN.EXE;
LOCKDOWN2000.EXE; LOOKOUT.EXE; LORDPE.EXE; LSETUP.EXE; LUALL.EXE;
LUALL.EXE; LUAU.EXE; LUCOMSERVER.EXE; LUINIT.EXE; LUSPT.EXE;
MAPISVC32.EXE; MCAGENT.EXE; MCMNHDLR.EXE; MCSHIELD.EXE; MCTOOL.EXE;
MCUPDATE.EXE; MCUPDATE.EXE; MCVSRTE.EXE; MCVSSHLD.EXE; MD.EXE;
MFIN32.EXE; MFW2EN.EXE; MFWENG3.02D30.EXE; MGAVRTCL.EXE; MGAVRTE.EXE;
MGHTML.EXE; MGUI.EXE; MINILOG.EXE; MMOD.EXE; MONITOR.EXE; MOOLIVE.EXE;
MOSTAT.EXE; MPFAGENT.EXE; MPFSERVICE.EXE; MPFTRAY.EXE; MRFLUX.EXE;
MSAPP.EXE; MSBB.EXE; MSBLAST.EXE; MSCACHE.EXE; MSCCN32.EXE;
MSCMAN.EXE; MSCONFIG.EXE; MSDM.EXE; MSDOS.EXE; MSIEXEC16.EXE;
MSINFO32.EXE; MSLAUGH.EXE; MSMGT.EXE; MSMSGRI32.EXE; MSSMMC32.EXE;
MSSYS.EXE; MSVXD.EXE; MU0311AD.EXE; MWATCH.EXE; N32SCANW.EXE; NAV.EXE;
AUTO-PROTECT.NAV80TRY.EXE; NAVAP.NAVAPSVC.EXE; NAVAPSVC.EXE;
NAVAPW32.EXE; NAVDX.EXE; NAVLU32.EXE; NAVNT.EXE; NAVSTUB.EXE;
NAVW32.EXE; NAVWNT.EXE; NC2000.EXE; NCINST4.EXE; NDD32.EXE;
NEOMONITOR.EXE; NEOWATCHLOG.EXE; NETARMOR.EXE; NETD32.EXE;
NETINFO.EXE; NETMON.EXE; NETSCANPRO.EXE; NETSPYHUNTER-1.2.EXE;
NETSTAT.EXE; NETUTILS.EXE; NISSERV.EXE; NISUM.EXE; NMAIN.EXE;
NOD32.EXE; NORMIST.EXE; NORTON_INTERNET_SECU_3.0_407.EXE;
NOTSTART.EXE; NPF40_TW_98_NT_ME_2K.EXE; NPFMESSENGER.EXE;
NPROTECT.EXE; NPSCHECK.EXE; NPSSVC.EXE; NSCHED32.EXE; NSSYS32.EXE;
NSTASK32.EXE; NSUPDATE.EXE; NT.EXE; NTRTSCAN.EXE; NTVDM.EXE;
NTXconfig.EXE; NUI.EXE; NUPGRADE.EXE; NUPGRADE.EXE; NVARCH16.EXE;
NVC95.EXE; NVSVC32.EXE; NWINST4.EXE; NWSERVICE.EXE; NWTOOL16.EXE;
OLLYDBG.EXE; ONSRVR.EXE; OPTIMIZE.EXE; OSTRONET.EXE; OTFIX.EXE;
OUTPOST.EXE; OUTPOST.EXE; OUTPOSTINSTALL.EXE; OUTPOSTPROINSTALL.EXE;
PADMIN.EXE; PANIXK.EXE; PATCH.EXE; PAVCL.EXE; PAVPROXY.EXE;
PAVSCHED.EXE; PAVW.EXE; PCFWALLICON.EXE; PCIP10117_0.EXE; PCSCAN.EXE;
PDSETUP.EXE; PERISCOPE.EXE; PERSFW.EXE; PERSWF.EXE; PF2.EXE;
PFWADMIN.EXE; PGMONITR.EXE; PINGSCAN.EXE; PLATIN.EXE; POP3TRAP.EXE;
POPROXY.EXE; POPSCAN.EXE; PORTDETECTIVE.EXE; PORTMONITOR.EXE;
POWERSCAN.EXE; PPINUPDT.EXE; PPTBC.EXE; PPVSTOP.EXE; PRIZESURFER.EXE;
PRMT.EXE; PRMVR.EXE; PROCDUMP.EXE; PROCESSMONITOR.EXE;
PROCEXPLORERV1.0.EXE; PROGRAMAUDITOR.EXE; PROPORT.EXE; PROTECTX.EXE;
PSPF.EXE; PURGE.EXE; QCONSOLE.EXE; QSERVER.EXE; RAPAPP.EXE; RAV7.EXE;
RAV7WIN.EXE; RAV8WIN32ENG.EXE; RAY.EXE; RB32.EXE; RCSYNC.EXE;
REALMON.EXE; REGED.EXE; REGEDIT.EXE; REGEDT32.EXE; RESCUE.EXE;
RESCUE32.EXE; RRGUARD.EXE; RScash.EXE; RTVSCAN.EXE; RTVSCN95.EXE;
RULAUNCH.EXE; RUN32DLL.EXE; RUNDLL.EXE; RUNDLL16.EXE; RUXDLL32.EXE;
SAFEWEB.EXE; SAHAGENT.EXE; SAVE.EXE; SAVENOW.EXE; SBSERV.EXE; SC.EXE;
SCAM32.EXE; SCAN32.EXE; SCAN95.EXE; SCANPM.EXE; SCRSCAN.EXE;
SETUPVAMEEVAL.EXE; SETUP_FLOWPROTECTOR_US.EXE; SFC.EXE; SGSSFW32.EXE;
SH.EXE; SHELLSPYINSTALL.EXE; SHN.EXE; SHOWBEHIND.EXE; SMC.EXE;
SMS.EXE; SMSS32.EXE; SOAP.EXE; SOFI.EXE; SPERM.EXE; SPF.EXE;
SPHINX.EXE; SPOLER.EXE; SPOOLCV.EXE; SPOOLSV32.EXE; SPYXX.EXE;
SREXE.EXE; SRNG.EXE; SS3EDIT.EXE; SSGRATE.EXE; SSG_4104.EXE; ST2.EXE;
START.EXE; STCLOADER.EXE; SUPFTRL.EXE; SUPPORT.EXE; SUPPORTER5.EXE;
SVC.EXE; SVCHOSTC.EXE; SVCHOSTS.EXE; SVSHOST.EXE; SWEEP95.EXE;
SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE; SYMPROXYSVC.EXE; SYMTRAY.EXE;
SYSEDIT.EXE; SYSTEM.EXE; SYSTEM32.EXE; SYSUPD.EXE; TASKMG.EXE;
TASKMO.EXE; TASKMON.EXE; TAUMON.EXE; TBSCAN.EXE; TC.EXE; TCA.EXE;
TCM.EXE; TDS-3.EXE; TDS2-NT.EXE; TEEKIDS.EXE; TFAK.EXE; TFAK5.EXE;
TGBOB.EXE; TITANIN.EXE; TITANINXP.EXE; TRACERT.EXE; TRICKLER.EXE;
TRJSCAN.EXE; TRJSETUP.EXE; TROJANTRAP3.EXE; TSADBOT.EXE; TVMD.EXE;
TVTMD.EXE; UNDOBOOT.EXE; UPDAT.EXE; UPDATE.EXE; UPDATE.EXE;
UPGRAD.EXE; UTPOST.EXE; VBCMSERV.EXE; VBCONS.EXE; VBUST.EXE;
VBWIN9X.EXE; VBWINNTW.EXE; VCSETUP.EXE; VET32.EXE; VET95.EXE;
VETTRAY.EXE; VFSETUP.EXE; VIR-HELP.EXE; VIRUSMDPERSONALFIREWALL.EXE;
VNLAN300.EXE; VNPC3000.EXE; VPC32.EXE; VPC42.EXE; VPFW30S.EXE;
VPTRAY.EXE; VSCAN40.EXE; VSCENU6.02D30.EXE; VSCHED.EXE; VSECOMR.EXE;
VSHWIN32.EXE; VSISETUP.EXE; VSMAIN.EXE; VSMON.EXE; VSSTAT.EXE;
VSWIN9XE.EXE; VSWINNTSE.EXE; VSWINPERSE.EXE; W32DSM89.EXE; W9X.EXE;
WATCHDOG.EXE; WEBDAV.EXE; WEBSCANX.EXE; WEBTRAP.EXE; WFINDV32.EXE;
WHOSWATCHINGME.EXE; WIMMUN32.EXE; WIN-BUGSFIX.EXE; WIN32.EXE;
WIN32US.EXE; WINACTIVE.EXE; WINDOW.EXE; WINDOWS.EXE; WININETD.EXE;
WININIT.EXE; WININITX.EXE; WINLOGIN.EXE; WINMAIN.EXE; WINNET.EXE;
WINPPR32.EXE; WINRECON.EXE; WINSERVN.EXE; WINSSK32.EXE; WINSTART.EXE;
WINSTART001.EXE; WINTSK32.EXE; WINUPDATE.EXE; WKUFIND.EXE; WNAD.EXE;
WNT.EXE; WRADMIN.EXE; WRCTRL.EXE; WSBGATE.EXE; WUPDATER.EXE;
WUPDT.EXE; WYVERNWORKSFIREWALL.EXE; XPF202EN.EXE; ZAPRO.EXE;
ZAPSETUP3001.EXE; ZATUTOR.EXE; ZONALM2601.EXE; ZONEALARM.EXE;
_AVP32.EXE; _AVPCC.EXE; _AVPM.EXE; CMD.EXE; TASKMGR.EXE; NEC.EXE
Miscellaneous
Anti debugging It checks if one of the following files are present:
• \\.\SICE
• \\.\SIWVID
• \\.\NTICE
• \\.\REGSYS
• \\.\REGVXG
• \\.\FILEVXG
• \\.\FILEM
• \\.\TRW
• \\.\ICEEXT
If successful, it terminates immediately.
File details
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
