Selected viruses, spyware, and other threats: sorted alphabetically
Mytob.BV is a typical mass mailing e-mail worm, the size is 35840 bytes and the worm is runtime compressed by Morphine, an executable runtime packer.
Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.
Installation and Autostart Techniques
Upon execution the worm copies itself into the System32 as "shell.exe".
The worm creates a mutex "H-e-l-l-B-o-t-3-T-e-a-M!!!" to avoid multiple running instances of the worm on one machine.
The worm adds the following registry key to the registry to make sure that it runs every time windows is started:
"Windows Shell" = "shell.exe"
"Windows Shell" = "taskgmr.exe"
The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:
*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.txt
The worm avoids e-mail addresses which contain parts of the following list
abuse, accoun, admin, anyone, bsd, bugs, certific, contact, fcnz, feste,
gold-certs, google, help, icrosof, info, linux, listserv, nobody, noone, not, nothing, ntivi,
page, postmaster, privacy, rating, root, samples, secur, service, site, soft, somebody, someone,
spm, submit, support, the.bat, unix, webmaster, www, you, your
The worm avoids domain addresses which contain parts of the following list
.gov, .mil, acketst, arin., berkeley, borlan, bsd, example, fido, foo.,
fsf., gnu, google, gov., hotmail, iana, ibm.com, icrosof, icrosoft, ietf, inpris, isc.o, isi.e,
kernel, linux, math, mit.e, mozilla, msn., mydomai, nodomai, panda, pgp, rfc-ed, ripe., ruslis,
secur, sendmail, sopho, tanford.e, unix, usenet, utgers.ed
The worm generates the sender's e-mail addresses using the following list of names:
.john, alex, michael, james, mike, kevin, david, george, sam, andrew, jose, leo,
maria, jim, brian, serg, mary, ray, tom, peter, robert, bob, jane, joe, dan, dave,
matt, steve, smith, stan, bill, bob, jack, fred, ted, adam, brent, alice, anna,
brenda, claudia, debby, helen, jerry, jimmy, julie, linda, kroutoyy
MyTob.BV selects randomly an eMail subject out of the following list:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents.
Note: The worm may also send e-mails containing a blank message body or random strings.
The worm attaches one of the following filenames with a self-copy:
It appends the present "hosts" file with the following data to avoid accessing these sites:
-=Copyright (C) 2005-2006 HellBot3 Team All Rights Reserved.=-
The worm also provides IRC-Backdoor functionality with the following functions:
Executing any other IRC commands
©1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission