Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mytob.CK

   
Aliases: W32/Mytob-AY (Sophos), Win32.Worm.Mytob.AX (Bitdefender), W32/Mytob.DB.worm (Panda), W32.Mytob.CE@mm (Symantec)
Type: Mass-mailing E-mail worm
Systems Affected: 32-Bit Windows

Introduction:

Mytob.CK is a PESpin runtime compressed, 44544 byte, typical mass mailing e-mail worm.

Installation and Autostart Techniques:

Upon execution, the worm copies itself into the System32 folder as "winupd32.exe".

The worm creates a mutex "H-3-l-l-B-0-t-3!!!" to avoid multiple running instances of the worm on one machine.

The worm adds the following key to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Windows Updates" = "winupd32.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"Windows Updates" = "winupd32.exe"

The worm continuously checks for the presence of these registry keys and recreates them if they are no longer present.

MyTob.CK also modifies the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = "4"

in order to lower security settings on the compromised system. This will disable the shared access on Windows 2000 and Windows XP systems.

The worm tries to terminate several programs:

regedit.exe
msconfig.exe
cmd.exe
taskmgr.exe
netstat.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exe
PandaAVEngine.exe

E-mail Harvesting:

The worm scans all fixed disks and is designed to collect e-mail addresses from files with one of the following file extensions:

*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.pl

Due to a bug in the implementation of stringcat with the WIN32_FIND_DATA results the worm will open files that have extensions with partial matches. The worm will always open and scan a file for e-mail addresses when at least one character matches one of the characters in the file extension list in the correct order.

In technical terms, that means the worm compares the file extension via 'instring function/substring function'.

Example:

The worm will search for e-mail addresses in files where the file extension matches *.htm, *.ht, *.h.

Mytob.CK collects also e-mail addresses from the Windows Address Book and from the following folders:

%Windir%\Temporary Internet Files
%Userprofile%\Local Settings\Temporary Internet Files
%System%

DNS Resolving:

The worm performs DNS e-mail-exchange-queries to find an appropriate mail server for each domain it tries to send itself to. If this DNS request for the mail server fails, the worm tries to guess the e-mail server by adding the following prefixes to the domain name:

gate.
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.

E-mail Sender:

The worm generates the sender's e-mail addresses using the following list of names:

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, britney, bush, claudia, dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda, lolita, madmax, maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom

to which it randomly adds the following domain names (the domain names are encrypted and stored in the worm):

aol.com cia.gov fbi.gov hotmail.com juno.com msn.com yahoo.com

The worm might also use a spoofed email address collected during E-mail harvesting.

Mytob.CK uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

E-mail Subjects:

Mytob.CK randomly selects an email subject from the following list:

Error
hello
Good day
Mail Delivery System
Mail Transaction Failed
Server Report
Status

The e-mail subjects are encrypted and stored in the worm.

Message Body:

The e-mail contains one of the following message texts:

Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
To unblock your email account acces, please see the attachment.
Follow the instructions in the attchment.
We have suspended some of your email services, to resolve the problem you should read the attached document.
To safeguard your email account from possible termination, please see the attached file.
please look at attached document.
Account Information Are Attached!

The worm may also send e-mails containing a blank message body or random strings.

E-mail Attachments:

Mytob.CK attaches a copy of itself using one of the following file names:

document
readme
doc
text
file
data
test
message
body

with one of the following file extensions:

bat
cmd
exe
scr
pif
zip

The worm may also attach itself as a ZIP file. The file inside the ZIP archive may have two extensions, the first chosen from the following list:

htm
txt
doc

The second extension is chosen from the following list and is separated from the first extension by a large number of spaces to hide the executable file extension:

pif
scr
exe

Example: attachment "text.zip" may contain the file "text.txt { spaces }.scr"

The worm avoids e-mail addresses which contain parts of the following list:

.gov, .mil, abuse, accoun, acketst, admin, anyone, arin., avp, be_loyal:, berkeley,
borlan, bsd, bugs, certific, contact, example, fcnz, feste, fido, foo., fsf., gnu, gold-certs,
google, gov., help, hotmail, iana, ibm.com, icrosof, icrosoft, ietf, info, inpris, isc.o,
isi.e, kernel, linux, listserv, math, mit.e, mozilla, msn., mydomai, nobody, nodomai,
noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy, rating, rfc-ed, ripe.,
root, ruslis, samples, secur, sendmail, service, site, soft, somebody, someone, sopho,
spm, submit, support, syma, tanford.e, the.bat, unix, usenet, utgers.ed, webmaster,
www, you, your, -._!, -._!@

Both "Microsoft" as well as "microsoft" will be matched with the string "icrosoft".
The worm will not send emails to addresses which contain one of the following strings:
Hostmaster, Support, Administrator, Mail, Service, Admin, Info, Staff, Register
Validation, Webmaster

Hostfile Manipulation:

It overwrites the present hosts file with the following data to prevent access to these sites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.oxyd.fr
127.0.0.1 oxyd.fr
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com

Other Details:

The worm also provides IRC-Backdoor functionality with the following functions:

Downloading files
Downloading new worm updates
Executing files
Providing uptime information to the remote controller
Providing information about the worm variant to the remote controller
Notifying IRC Channels/Operator via private message
Restarting the computer

It tries to connect to the irc server irc.blackcarder.net.

History: Analysis and Write-up by: Michael St. Neitzel