Virus Detail

Description

Back to top

Method of Infection

When executed, Win32.Mytob.DM copies itself to %System%\Lien Van de Kelder.exe.

It then sets the following registry values so that it can execute itself at each Windows start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\http://www.lienvandekelder.be = "%System%\Lien Van de Kelder.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\http://www.lienvandekelder.be = "%System%\Lien Van de Kelder.exe"

Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

The worm creates a mutex called "H-3-1-1-B-0-T-3-F-1-X-3" so that multiple copies of itself will not execute at the same time.

Back to top

Method of Distribution

Via E-mail

The worm starts its search for target addresses by reading the Windows Address Book referred to by this registry value:

HKCU\Software\Microsoft\WAB\WAB4\Wab File Name

Next it searches the Temporary Internet Files folder, the system drive, and all logical RAM or fixed disks from C:\ to Y:\. Files with the following extensions are processed for e-mail addresses:

txt
htm
sht
jsp
cgi
xml
php
asp
dbx
tbb
adb
pl
wab

Mytob.DM avoids sending itself to any addresses that contain particular strings, such as the following:

abuse
accoun
admin
anyone
bsd
bugs
ca
certific
contact
feste
gold-certs
google
help
icrosoft
info
linux
listserv
me
no
nobody
noone
not
nothing
ntivi
page
postmaster
privacy
rating
root
samples
service
site
soft
somebody
someone
spm
submit
support
the.bat
unix
webmaster
www
you
your

The worm may connect to any mailserver. It attempts to use one of the SMTP servers listed in the following registry key:

HKCU\Software\Microsoft\Internet Account Manager\Accounts

The worm performs DNS MX (mail exchanger) queries to find an appropriate mail server for each domain it tries to send itself to. It performs these queries using the server that is configured as the default DNS server for the local system. If the worm cannot find a mail server, it may try to guess the correct server by pre-appending the following strings to the domain of the e-mail address:

gate.
ns.
relay.
mail1.
mxs.
mx1.
smtp.
mail.
mx.

If it is successful it uses the corresponding e-mail address from that domain as the username when sending mail.

E-mail sent by the worm may use a spoofed From address. They have the following characteristics:

Subject: (may be as follows, or all uppercase or all lowercase):

<blank>
<random characters>
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Security measures
Email Account Suspension
Notice of account limitation

Message Body:

• Once you have completed the form in the attached file , your account
  records will not be interrupted and will continue as normal.
• The original message has been included as an attachment.
• We regret to inform you that your account has been suspended due to the
  violation of our site policy, more info is attached.
• We attached some important information regarding your account.
• Please read the attached document and follow it's instructions.
• <blank>
• <random characters >

Attachment:

The worm attaches itself using one of the following file names:

email-info
email-doc
information
account-details
document
INFO
instructions
info-text
information

With any one of the following extensions:

bat
cmd
exe
scr
pif

The worm may also attach itself as a ZIP file. The file inside the ZIP archive may have two extensions, the first chosen from the following list:

htm
txt
doc

The second extension is chosen from the following list and is separated from the first extension by a number of spaces:

pif
scr
exe

Example:
information.zip containing "information.htm[many spaces].exe"

Please see below for examples of e-mail messages generated by the worm:

Back to top

Payload

Backdoor Functionality

The worm can be used as an IRC controlled backdoor, allowing a remote user to gain unauthorized access to the infected machine. The worm connects to a particular IRC Server and joins a channel. It then waits for instructions from the channel. The worm can be instructed to perform the following actions on the affected machine:

• Download files
• Download worm updates
• Execute files
• Provide information about the worm variant to the remote controller
• Provide uptime information to the remote controller

Terminates Processes

Mytob.DM terminates the following processes:

Modifies Hosts File

The Hosts file contains the mappings of IP addresses to host names. Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. On XP, 2000 and NT systems the hosts file is located at %System%\drivers\etc\hosts: on 9x systems the hosts file is located at %Windows%\hosts.

Mytob.DM modifies the Hosts file to redirect the following domains to the localhost, hence effectively stopping affected users from visiting these domains:

www.trendmicro.com
www.microsoft.com
trendmicro.com
rads.mcafee.com
customer.symantec.com
liveupdate.symantec.com
us.mcafee.com
updates.symantec.com
update.symantec.com
www.nai.com
nai.com
secure.nai.com
dispatch.mcafee.com
download.mcafee.com
www.my-etrust.com
my-etrust.com
mast.mcafee.com
ca.com
www.ca.com
networkassociates.com
www.networkassociates.com
avp.com
www.kaspersky.com
www.avp.com
kaspersky.com
www.f-secure.com
f-secure.com
viruslist.com
www.viruslist.com
liveupdate.symantecliveupdate.com
mcafee.com
www.mcafee.com
sophos.com
www.sophos.com
symantec.com
securityresponse.symantec.com
www.symantec.com

Analysis by Hamish O'Dea

Back to top