Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mytob.D

Mytob.D is a typical mass mailing e-mail worm, the size is 48766 bytes and the worm is runtime compressed by UPX and protected with YodaCrypt to avoid upx-unpacking.

Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

Installation and Autostart Techniques

Upon execution the worm copies itself into the System32 folder as " wfdmgr.exe ".
The worm creates a mutex " D66 " to avoid multiple running instances of the worm on one machine.
The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"LSA" = "wfdmgr.exe" 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"LSA" = "wfdmgr.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"LSA" = "wfdmgr.exe"

Mytob.D adds also the following registry keys:

HKLM\Software\Microsoft\OLE
"LSA" = "wfdmgr.exe" 

HKCU\Software\Microsoft\OLE
"LSA" = "wfdmgr.exe" 

HKLM\System\CurrentControlSet\Control\Lsa
"LSA" = "wfdmgr.exe" 

HKCU\System\CurrentControlSet\Control\Lsa
"LSA" = "wfdmgr.exe"

e-mail harvesting

The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:

*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.pl

However, these extensions are pretty much useless, because the worm has a bug regarding stringcat and compare with the WIN32_FIND_DATA results.
That said: The worm will always open and scan a file for e-mail addresses when at least one character matches one of the characters in the file extension list in the correct order.
In technical terms that means the worm compares the file extion via 'instring function/substring function'.

Example:
The worm will search for e-mail addresses in files where the file extension matches *.htm, *.ht, *.h for instance.

DNS resolving

The worm performs DNS e-mail-exchange-queries to find an appropriate mail server for each domain it tries to send itself to. If this DNS request for the mailserver fails, the worm tries to guess the e-mail server adding in front of the domain name the following prefixes:

gate.
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.

e-mail Sender

The worm generates the sender's e-mail addresses using the following list of names at which it adds randomly, domain names:

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, claudia, dan, dave,
david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe, john, jose,
julie, kevin, leo, linda, maria, mary, matt, michael, mike, peter, ray, robert, sam,
sandra, serg, smith, stan, steve, ted, tom

It uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

e-mail subjects

Mytob.D selects randomly an e-mail subject out of the following list:

Error
Status
STATUS
Server Report
SERVER REPORT
Mail Transaction Failed
Mail Delivery System
hello
HELLO
hi
HI
test
TEST

Note: The e-mail subjects are encrypted and stored in the worm.

Message body

The e-mail contains one of the following message texts:

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

test

Note: The worm may also send e-mails containing a blank message body or random strings.

e-mail Attachments

The worm attaches one of the following filenames with a self-copy:

body
message
test
data
file
text
doc
readme
document

with one of the following file extensions:

bat
cmd
exe
scr
pif
zip

The worm may also attach itself as a ZIP file. The file inside the ZIP archive may have two extensions, the first chosen from the following list:

htm
txt
doc

The second extension is chosen from the following list and is separated from the first extension by a huge amount of spaces to hide the executable file extension:

pif
scr
exe

Example: attachment "text.zip" may contain the file "text.txt { spaces }.scr"

The worm avoids e-mail addresses which contain parts of the following list:

.gov, .mil, abuse, accoun, acketst, admin, anyone, arin., avp, be_loyal:, berkeley,
borlan, bsd, bugs, certific, contact, example, fcnz, feste, fido, foo., fsf., gnu, gold-certs,
google, gov., help, hotmail, iana, ibm.com, icrosof, icrosoft, ietf, info, inpris, isc.o,
isi.e, kernel, linux, listserv, math, mit.e, mozilla, msn., mydomai, nobody, nodomai,
noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy, rating, rfc-ed, ripe.,
root, ruslis, samples, secur, sendmail, service, site, soft, somebody, someone, sopho,
spm, submit, support, syma, tanford.e, the.bat, unix, usenet, utgers.ed, webmaster,
www, you, your, -._!, -._!@

Note: the first missing character is to match, for instance, "Microsoft" as well as "microsoft".

Other Details

The worm generates random IP addresses and attempts to connect to port 445 of the generated IP's to exploit the LSASS buffer overflow vulnerability [see MS04-011] . If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm (this copy is uploaded to the target machine by the created FTP Server).

The worm also provides Backdoor functionality with the following functions:

  • Downloading files
  • Downloading new worm updates
  • Executing files
  • Providing uptime information to the remote controller
  • Providing information about the worm variant to the remote controller