Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation and Autostart Techniques

 

Upon execution, Mytob.FQ copies itself into the %System32% folder as "taskgmrr.exe", and to "C:\mypic003.scr", "C:\mypic004.scr", "C:\mypic005.scr" and finally creates "C:\mngr32.exe".

 

Mytob.FQ creates a mutex "H-E-L-L-B-O-T-32" to prevent multiple instances of the worm from running.

 

The worm adds the following keys to the registry to make sure that it runs every time windows is started:

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

"WINTASK32""taskgmrr.exe"

 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

"WINTASK32""taskgmrr.exe"

 

HKLM\Software\Microsoft\OLE

"WINTASK32""taskgmrr.exe"

 

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

"WINTASK32""taskgmrr.exe"

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

"WINTASK32""taskgmrr.exe"

 

HKCU\Software\Microsoft\OLE

"WINTASK32""taskgmrr.exe"

 

HKCU\SYSTEM\CurrentControlSet\Control\Lsa

"WINTASK32""taskgmrr.exe"

 

Note: Mytob.FQ continuously monitors these registry keys and recreates them if they are no longer present.

 

E-mail harvesting

 

The worm scans all fixed disks and collects e-mail addresses from files with any of the following extensions:

 

*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.pl, *.txt, *.xml, *.cgi, *.jsp

 

This Mytob worm also collects e-mail addresses from the Windows Address Book and from the following folders:

 

%Windir%\Temporary Internet Files

%Userprofile%\Local Settings\Temporary Internet Files

 

DNS Resolving

 

Mytob.FQ performs DNS email-exchange-queries to find an appropriate mail server for each domain it tries to send itself to.

If this DNS request for the mail server fails, the worm tries to guess the e-mail server by adding the domain name to the following prefixes:

 

gate.

mx.

mail.

smtp.

mx1.

mxs.

mail1.

relay.

ns.

 

IRC Backdoor Server Functionality

 

The worm also provides IRC-Backdoor functionality with the following functions:

 

Downloading files

Downloading new worm updates

Executing files

Providing uptime information to the remote controller

Providing information about the worm variant to the remote controller

Notifying IRC Channels/Operator via private message

Restarting the computer

Providing FTP Server Access on the compromised system

Removing components

 

Mytob.FQ worm tries to connect to the irc server "xtg.g3w.org" (port 36311 TCP/IP)

It tries to join the channel "#.hb0t".

 

E-mail Sender

 

The worm generates the sender's e-mail addresses using the following list of names:

 

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, britney, bush, claudia,

dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe,

john, jose, julie, kevin, leo, linda, lolita, madmax, maria, mary, matt, michael, mike,

peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom

 

Installation and Autostart Techniques

 

Upon execution, Mytob.FQ copies itself into the %System32% folder as "taskgmrr.exe", and to "C:\mypic003.scr", "C:\mypic004.scr", "C:\mypic005.scr" and finally creates "C:\mngr32.exe".

 

Mytob.FQ creates a mutex "H-E-L-L-B-O-T-32" to prevent multiple instances of the worm from running.

 

The worm adds the following keys to the registry to make sure that it runs every time windows is started:

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

"WINTASK32""taskgmrr.exe"

 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

"WINTASK32""taskgmrr.exe"

 

HKLM\Software\Microsoft\OLE

"WINTASK32""taskgmrr.exe"

 

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

"WINTASK32""taskgmrr.exe"

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

"WINTASK32""taskgmrr.exe"

 

HKCU\Software\Microsoft\OLE

"WINTASK32""taskgmrr.exe"

 

HKCU\SYSTEM\CurrentControlSet\Control\Lsa

"WINTASK32""taskgmrr.exe"

 

Note: Mytob.FQ continuously monitors these registry keys and recreates them if they are no longer present.

 

E-mail harvesting

 

The worm scans all fixed disks and collects e-mail addresses from files with any of the following extensions:

 

*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.pl, *.txt, *.xml, *.cgi, *.jsp

 

This Mytob worm also collects e-mail addresses from the Windows Address Book and from the following folders:

 

%Windir%\Temporary Internet Files

%Userprofile%\Local Settings\Temporary Internet Files

 

DNS Resolving

 

Mytob.FQ performs DNS email-exchange-queries to find an appropriate mail server for each domain it tries to send itself to.

If this DNS request for the mail server fails, the worm tries to guess the e-mail server by adding the domain name to the following prefixes:

 

gate.

mx.

mail.

smtp.

mx1.

mxs.

mail1.

relay.

ns.

 

IRC Backdoor Server Functionality

 

The worm also provides IRC-Backdoor functionality with the following functions:

 

Downloading files

Downloading new worm updates

Executing files

Providing uptime information to the remote controller

Providing information about the worm variant to the remote controller

Notifying IRC Channels/Operator via private message

Restarting the computer

Providing FTP Server Access on the compromised system

Removing components

 

Mytob.FQ worm tries to connect to the irc server "xtg.g3w.org" (port 36311 TCP/IP)

It tries to join the channel "#.hb0t".

 

E-mail Sender

 

The worm generates the sender's e-mail addresses using the following list of names:

 

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, britney, bush, claudia,

dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe,

john, jose, julie, kevin, leo, linda, lolita, madmax, maria, mary, matt, michael, mike,

peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom

 

Note: The worm might also use a spoofed email address collected during E-mail harvesting.

 

Mytob.FQ uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

 

The worm avoids e-mail addresses which contain parts of the following list:

 

.gov, .mil, abuse, accoun, acketst, admin, anyone, arin., avp, be_loyal:, berkeley,

borlan, bsd, bugs, certific, contact, example, fcnz, feste, fido, foo., fsf., gnu, gold-certs,

google, gov., help, hotmail, iana, ibm.com, icrosof, icrosoft, ietf, info, inpris, isc.o,

isi.e, kernel, linux, listserv, math, mit.e, mozilla, msn., mydomai, nobody, nodomai,

noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy, rating, rfc-ed, ripe.,

root, ruslis, samples, secur, sendmail, service, site, soft, somebody, someone, sopho,

spm, submit, support, syma, tanford.e, the.bat, unix, usenet, utgers.ed, webmaster,

www, you, your, -._!, -._!@

 

Note: The first missing character will match. For example, 'Microsoft' as well as 'microsoft' will match with "icrosoft".

 

Mytob.FQ sends outgoing attachments with one of the following file extensions:

 

bat

cmd

exe

scr

pif

zip

 

The worm may also attach itself as a ZIP file. The file inside the ZIP archive may have two extensions, the first chosen from the following list:

 

htm

txt

doc

 

The second extension is chosen from the following list and is separated from the first extension by a large number of spaces to hide the executable file extension:

 

pif

scr

exe

 

Example: attachment 'readme.zip' may contain the file 'readme.txt { spaces } .scr'

--------

 

Hostfile Manipulation

 

Mytob.FQ overwrites the present hosts file with the following data to prevent access to these sites:

 

127.0.0.1 www.trendmicro.com

127.0.0.1 www.microsoft.com

127.0.0.1 trendmicro.com

127.0.0.1 rads.mcafee.com

127.0.0.1 customer.symantec.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 us.mcafee.com

127.0.0.1 updates.symantec.com

127.0.0.1 update.symantec.com

127.0.0.1 www.nai.com

127.0.0.1 nai.com

127.0.0.1 secure.nai.com

127.0.0.1 dispatch.mcafee.com

127.0.0.1 download.mcafee.com

127.0.0.1 www.my-etrust.com

127.0.0.1 my-etrust.com

127.0.0.1 mast.mcafee.com

127.0.0.1 ca.com

127.0.0.1 www.ca.com

127.0.0.1 networkassociates.com

127.0.0.1 www.networkassociates.com

127.0.0.1 avp.com

127.0.0.1 www.kaspersky.com

127.0.0.1 www.avp.com

127.0.0.1 kaspersky.com

127.0.0.1 www.f-secure.com

127.0.0.1 f-secure.com

127.0.0.1 viruslist.com

127.0.0.1 www.viruslist.com

127.0.0.1 liveupdate.symantecliveupdate.com

127.0.0.1 mcafee.com

127.0.0.1 www.mcafee.com

127.0.0.1 sophos.com

127.0.0.1 www.sophos.com

127.0.0.1 symantec.com

127.0.0.1 securityresponse.symantec.com

127.0.0.1 www.symantec.com

 

Other Details:

 

Mytob.FQ exploits the Microsoft Windows Local Security Authority Service Remote Buffer Overflow.

The worm might also use a spoofed email address collected during E-mail harvesting.

 

Mytob.FQ uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

 

The worm avoids e-mail addresses which contain parts of the following list:

 

.gov, .mil, abuse, accoun, acketst, admin, anyone, arin., avp, be_loyal:, berkeley,

borlan, bsd, bugs, certific, contact, example, fcnz, feste, fido, foo., fsf., gnu, gold-certs,

google, gov., help, hotmail, iana, ibm.com, icrosof, icrosoft, ietf, info, inpris, isc.o,

isi.e, kernel, linux, listserv, math, mit.e, mozilla, msn., mydomai, nobody, nodomai,

noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy, rating, rfc-ed, ripe.,

root, ruslis, samples, secur, sendmail, service, site, soft, somebody, someone, sopho,

spm, submit, support, syma, tanford.e, the.bat, unix, usenet, utgers.ed, webmaster,

www, you, your, -._!, -._!@

 

Note: The first missing character will match. For example, 'Microsoft' as well as 'microsoft' will match with "icrosoft".

 

Mytob.FQ sends outgoing attachments with one of the following file extensions:

 

bat

cmd

exe

scr

pif

zip

 

The worm may also attach itself as a ZIP file. The file inside the ZIP archive may have two extensions, the first chosen from the following list:

 

htm

txt

doc

 

The second extension is chosen from the following list and is separated from the first extension by a large number of spaces to hide the executable file extension:

 

pif

scr

exe

 

Example: attachment 'readme.zip' may contain the file 'readme.txt { spaces } .scr'

--------

 

Hostfile Manipulation

 

Mytob.FQ overwrites the present hosts file with the following data to prevent access to these sites:

 

127.0.0.1 www.trendmicro.com

127.0.0.1 www.microsoft.com

127.0.0.1 trendmicro.com

127.0.0.1 rads.mcafee.com

127.0.0.1 customer.symantec.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 us.mcafee.com

127.0.0.1 updates.symantec.com

127.0.0.1 update.symantec.com

127.0.0.1 www.nai.com

127.0.0.1 nai.com

127.0.0.1 secure.nai.com

127.0.0.1 dispatch.mcafee.com

127.0.0.1 download.mcafee.com

127.0.0.1 www.my-etrust.com

127.0.0.1 my-etrust.com

127.0.0.1 mast.mcafee.com

127.0.0.1 ca.com

127.0.0.1 www.ca.com

127.0.0.1 networkassociates.com

127.0.0.1 www.networkassociates.com

127.0.0.1 avp.com

127.0.0.1 www.kaspersky.com

127.0.0.1 www.avp.com

127.0.0.1 kaspersky.com

127.0.0.1 www.f-secure.com

127.0.0.1 f-secure.com

127.0.0.1 viruslist.com

127.0.0.1 www.viruslist.com

127.0.0.1 liveupdate.symantecliveupdate.com

127.0.0.1 mcafee.com

127.0.0.1 www.mcafee.com

127.0.0.1 sophos.com

127.0.0.1 www.sophos.com

127.0.0.1 symantec.com

127.0.0.1 securityresponse.symantec.com

127.0.0.1 www.symantec.com

 

Other Details:

 

Mytob.FQ exploits the Microsoft Windows Local Security Authority Service Remote Buffer Overflow.