FRISK Software International


Summary of W32/Mytob.D@mm
Discovered: 2 Mar 2005
Definition files: 2 Mar 2005
Risk Level: Medium
Distribution:High
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Mytob.D is a mass mailing worm. The worm opens a backdoor by connecting to an IRC channel and accepts commands from there. It tries to exploit vulnerabilities to infect other machines and sends itself as an attachment to a spoofed e-mail.



Technical Description
W32/Mytob.D creates the mutex "D66" to make sure only one instance of the worm is running.

Prepends the following strings to the domain name, in an attempt to locate a mail server:

gate.
ns.
relay.
mail1.
mxs.
mx1.
smtp.
mail.
mx.

Filesystem

Copies itself to "%WINDIR%\system32\wfdmgr.exe" and executes it.

Searches available hard drives for files with the following extensions:

wab
pl
adb
tbb
dbx
asp
php
sht
htm

and tries to harvest e-mail addresses from them.

Registry

Adds the value:

"LSA"="wfdmgr.exe"

to the following keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
[HKEY_CURRENT_USER\Software\Microsoft\OLE]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]

to make sure it runs every time Windows is started.

Queries the key:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager]

to try to locate a mail server.

Mail routine

Sends itself as an attachment to an e-mail with the following characteristics:

The worm may spoof the e-mail so it looks like its coming from an e-mail address %name%@%domain%

where %name% is one of the following:

sandra
linda
julie
jimmy
jerry
helen
debby
claudia
brenda
anna
alice
brent
adam
ted
fred
jack
bill
stan
smith
steve
matt
dave
dan
joe
jane
bob
robert
peter
tom
ray
mary
serg
brian
jim
maria
leo
jose
andrew
sam
george
david
kevin
mike
james
michael
alex
john

and %domain% is one of the following:

hotmail.com
yahoo.com
msn.com
aol.com

Subject is one of the following:

Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi

Attaches itself as the file %filename%.%ext%.

Where %filename% is one of the following:

body
message
test
data
file
text
doc
readme
document

and %ext% is one of the following:

bat
cmd
exe
scr
pif
doc
txt
htm
tmp
zip

Avoids sending itself to e-mail addresses containing the following strings:

accoun
certific
listserv
ntivi
support
icrosoft
admin
page
the.bat
gold-certs
ca
feste
submit
not
help
service
privacy
somebody
no
soft
contact
site
rating
bugs
me
you
your
someone
anyone
nothing
nobody
noone
webmaster
postmaster
samples
info
root
be_loyal:
mozilla
utgers.ed
tanford.e
pgp
acketst
secur
isc.o
isi.e
ripe.
arin.
sendmail
rfc-ed
ietf
iana
usenet
fido
linux
kernel
google
ibm.com
fsf.
gnu
mit.e
bsd
math
unix
berkeley
foo.
.mil
gov.
.gov
ruslis
nodomai
mydomai
example
inpris
borlan
sopho
panda
hotmail
msn.
icrosof
syma
avp
.edu
abuse



Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is