FRISK Software International


Summary of W32/Mytob.QG@mm
Discovered: 11 Jan 2006
Definition files: 11 Jan 2006
Risk Level: Medium
Distribution:Medium
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Mytob.QG@mm is a mass-mailing worm with an IRC-backdoor. It harvests e-mail addresses from files and sends itself as an attachment to those addresses. It also connects to an IRC channel and accepts remote commands from there. It has it's own SMTP engine. It may try to steal credit card information.


Technical Description
Filesystem

When first run, the worm copies itself to %WINDIR%\system32\smsks.exe and executes it before terminating itself.

It harvests e-mail addresses on all available hard drives, in all files having one of the following extensions:

txt
htm
sht
jsp
cgi
xml
php
asp
dbx
tbb
adb
html
wab

Registry

Adds the value:

"Microsoft Services Manual Contrl"="smsks.exe"

To the keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce]

To make sure it's run at Windows startup.

Creates the key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Services Manual Contrl]

and adds several subkeys and values to it so that the worm is run as service at startup.

Queries the key:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts]

in an attempt to locate a mail server.

Queries the key:

[HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name]

to try to find the user's addressbook.


Mail routine

The worm sends itself as an attachment to an e-mail with the following characteristics:

The worm may spoof the from address.

Attached is a file named %name%.zip containing the file %name%.%dbl_ext%. Where %name% is one the following:

account-details
account-info
account-report
document
email-details
important-details
information
readme

and %dbl_ext% is one of the following extensions:

doc
txt
htm
tmp

followed by lots of blank spaces then followed by one of the following:

.bat
.cmd
.exe
.scr
.pif

The worm avoids sending itself to e-mail addresses containing any of the following substrings in the name field:

root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
bugs
rating
site
contact
soft
somebody
privacy
service
help
not
submit
feste
gold-certs
the.bat
page
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
spm
fcnz
www
secur
abuse
support
administrator
accounts
mail
service
admin
info
register
webmaster

or containing any of the following substrings in the domain field:

avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla

Prepends the following strings to the domain name, in an attempt to locate a mail server:

gate.
mail.
mail1.
mx.
mx1.
mxs.
ns.
relay.
smtp.


Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is