FRISK Software International


Summary of W32/Mytob.VU@mm
Discovered: 28 Apr 2006
Definition files: 28 Apr 2006
Risk Level: Medium
Distribution:Low
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Mytob.VU@mm is a mass-mailing worm with an IRC-backdoor. It harvests e-mail addresses from files and sends itself as an attachment to those addresses. It also connects to an IRC channel and accepts remote commands from there. It has it's own SMTP engine. It logs keystrokes and opens a backdoor.


Technical Description
Filesystem

When first run, the worm copies itself to %SYSDIR%\osalogbe.exe.

Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
  • Windows 95/98/Me - C:\Windows\System
  • Windows NT/2000 - C:\Winnt\System32
  • Windows XP - C:\Windows\System32



It harvests e-mail addresses on all available hard drives, in all files having one of the following extensions:

wab
adb
tbb
dbx
asp
php
aspx
html
sht
htm

Registry

Adds the value:

"Osalogbe"="%SYSDIR%\osalogbe.exe"

To the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

To make sure it's run at Windows startup.

Creates the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\osunimale]

as an infection marker.

Queries the key:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts]

in an attempt to locate a mail server.

Queries the key:

[HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name]

to try to find the user's address book.


Mail routine

The worm sends itself as an attachment to an e-mail with the following characteristics:

The worm may spoof the from address.

Attached is a file named %name%.%ext% or %name%.zip containing the file %name%.%ext%. Where %name% is one the following:

body
message
test
data
file
text
doc
readme
document

and %ext% is one of the following extensions:

bat
cmd
exe
scr

The worm avoids sending itself to e-mail addresses having one of the following string in the name field:

admin
page
the.bat
gold-certs
feste
submit
not
help
service
privacy
somebody
soft
contact
site
rating
bugs
you
your
someone
anyone
nothing
nobody
noone
webmaster
postmaster
samples
info
root

or containing any of the following substrings in the domain field:

mozilla
utgers.ed
tanford.e
pgp
acketst
secur
isc.o
isi.e
ripe.
arin.
sendmail
rfc-ed
ietf
iana
usenet
fido
kernel
ibm.com
fsf.
gnu
mit.e
math
berkeley
foo.
.mil
gov.
.gov
ruslis
nodomai
mydomai
example
inpris
borlan
sopho
panda
icrosof
syma
avp
accoun
google
certific
listserv
linux
bsd
unix
ntivi
support
icrosoft

Other payloads

Prepends the following strings to the domain name, in an attempt to locate a mail server:

gate.
ns.
relay.
mail1.
mxs.
mx1.
smtp.
mail.
mx.


Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is