Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mytob.BV

Mytob.BV is a typical mass mailing e-mail worm, the size is 35840 bytes and the worm is runtime compressed by Morphine, an executable runtime packer.

Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

Installation and Autostart Techniques

Upon execution the worm copies itself into the System32 as "shell.exe".

The worm creates a mutex "H-e-l-l-B-o-t-3-T-e-a-M!!!" to avoid multiple running instances of the worm on one machine.
The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Windows Shell" = "shell.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"Windows Shell" = "taskgmr.exe"

E-mail harvesting

The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:

*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.txt

The worm avoids e-mail addresses which contain parts of the following list

abuse, accoun, admin, anyone, bsd, bugs, certific, contact, fcnz, feste,
gold-certs, google, help, icrosof, info, linux, listserv, nobody, noone, not, nothing, ntivi,
page, postmaster, privacy, rating, root, samples, secur, service, site, soft, somebody, someone,
spm, submit, support, the.bat, unix, webmaster, www, you, your

The worm avoids domain addresses which contain parts of the following list

.gov, .mil, acketst, arin., berkeley, borlan, bsd, example, fido, foo.,
fsf., gnu, google, gov., hotmail, iana, ibm.com, icrosof, icrosoft, ietf, inpris, isc.o, isi.e,
kernel, linux, math, mit.e, mozilla, msn., mydomai, nodomai, panda, pgp, rfc-ed, ripe., ruslis,
secur, sendmail, sopho, tanford.e, unix, usenet, utgers.ed


E-mail Sender

The worm generates the sender's e-mail addresses using the following list of names:

.john, alex, michael, james, mike, kevin, david, george, sam, andrew, jose, leo,
maria, jim, brian, serg, mary, ray, tom, peter, robert, bob, jane, joe, dan, dave,
matt, steve, smith, stan, bill, bob, jack, fred, ted, adam, brent, alice, anna,
brenda, claudia, debby, helen, jerry, jimmy, julie, linda, kroutoyy

E-mail subjects

MyTob.BV selects randomly an eMail subject out of the following list:

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents.

Note: The worm may also send e-mails containing a blank message body or random strings.

E-mail Attachments

The worm attaches one of the following filenames with a self-copy:

file
text
doc
creditcard

Hostfile Manipulation

It appends the present "hosts" file with the following data to avoid accessing these sites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
-=Copyright (C) 2005-2006 HellBot3 Team All Rights Reserved.=-

Other Details:

The worm also provides IRC-Backdoor functionality with the following functions:

Executing files
Downloading files
Executing any other IRC commands