FRISK Software International

Virus Info > Virus Threats > Mytob.VU@mm


Summary of W32/Mytob.VU@mm
Discovered: 28 Apr 2006
Definition files: 28 Apr 2006
Risk Level: Medium
Distribution:Low
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Mytob.VU@mm is a mass-mailing worm with an IRC-backdoor. It harvests e-mail addresses from files and sends itself as an attachment to those addresses. It also connects to an IRC channel and accepts remote commands from there. It has it's own SMTP engine. It logs keystrokes and opens a backdoor.


Technical Description
Filesystem

When first run, the worm copies itself to %SYSDIR%\osalogbe.exe.

Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
  • Windows 95/98/Me - C:\Windows\System
  • Windows NT/2000 - C:\Winnt\System32
  • Windows XP - C:\Windows\System32



It harvests e-mail addresses on all available hard drives, in all files having one of the following extensions:

wab
adb
tbb
dbx
asp
php
aspx
html
sht
htm

Registry

Adds the value:

"Osalogbe"="%SYSDIR%\osalogbe.exe"

To the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

To make sure it's run at Windows startup.

Creates the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\osunimale]

as an infection marker.

Queries the key:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts]

in an attempt to locate a mail server.

Queries the key:

[HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name]

to try to find the user's address book.


Mail routine

The worm sends itself as an attachment to an e-mail with the following characteristics:

The worm may spoof the from address.

Attached is a file named %name%.%ext% or %name%.zip containing the file %name%.%ext%. Where %name% is one the following:

body
message
test
data
file
text
doc
readme
document

and %ext% is one of the following extensions:

bat
cmd
exe
scr

The worm avoids sending itself to e-mail addresses having one of the following string in the name field:

admin
page
the.bat
gold-certs
feste
submit
not
help
service
privacy
somebody
soft
contact
site
rating
bugs
you
your
someone
anyone
nothing
nobody
noone
webmaster
postmaster
samples
info
root

or containing any of the following substrings in the domain field:

mozilla
utgers.ed
tanford.e
pgp
acketst
secur
isc.o
isi.e
ripe.
arin.
sendmail
rfc-ed
ietf
iana
usenet
fido
kernel
ibm.com
fsf.
gnu
mit.e
math
berkeley
foo.
.mil
gov.
.gov
ruslis
nodomai
mydomai
example
inpris
borlan
sopho
panda
icrosof
syma
avp
accoun
google
certific
listserv
linux
bsd
unix
ntivi
support
icrosoft

Other payloads

Prepends the following strings to the domain name, in an attempt to locate a mail server:

gate.
ns.
relay.
mail1.
mxs.
mx1.
smtp.
mail.
mx.


Removal Instructions
For general removal instructions please click here.

Marteinn Þór Harðarson
 
Virus Info by Platform

Virus Info by Letter:

F-PROT Antivirus Alerts
Stay up to date with important developments via e-mail.
more...
Life cyle policy
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
more...
RSS News Feeds
Virus news and information directly to your desktop.
more...
Glossary of Terms
Definitions of common antivirus terminology.
more...
More Virus Info
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is 00a@eircom.net 0maaahonyy@eircom.net 950@eircom.net af@eircom.net am@eircom.net ar@eircom.net as@eircom.net b1@eircom.net boss3@eircom.net ceih@eircom.net cera@eircom.net chxe@eircom.net cs@eircom.net cydw@eircom.net d71@eircom.net dpfy@eircom.net dzuv@eircom.net ehpa@eircom.net epin@eircom.net f1@eircom.net fa@eircom.net fdld@eircom.net fdnv@eircom.net gacg@eircom.net gafj@eircom.net gc@eircom.net gz@eircom.net ha@eircom.net he@eircom.net ia@eircom.net ja@eircom.net k2@eircom.net lleahy6@eircom.net m1@eircom.net no@eircom.net pb@eircom.net qq@eircom.net r6oo@eircom.net ra@eircom.net s2@eircom.net t2@eircom.net ua@eircom.net va@eircom.net vb@eircom.net w2@eircom.net ww2@eircom.net xxxkiss@eircom.net y1@eircom.net ya@eircom.net zz@eircom.net