| Name | Win32.Mytob.qf |
| Threat Level |  |
| Alias | Win32.Mytob.qf,WORM_MYTOB.QF |
| Date | 30 April, 2006 |
| Type | Win32,Worm,Trojan |
| Damage | Create files,Send Email,Prevent normal OS operation,Remote control,Lowers security |
| Platform | Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP |
| Analysis |
Win32.Mytob.qf is a mass-mailing worm that can open a backdoor on the infected system, spread using various methods and lower security settings.
The arriving email will have the following characteristics:
Subject: The subject of this mail will be blank, completely random or one of the following:
Error
Hello
Mail delivery system
Mail transaction failed
Server report
Status
Message body: Like the subject, the body of this mail will be either blank, random or one of the following:
Mail Transaction failed. Partial Message is available.
The message cannot be represented in 7-bit ASCII and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as binary attachment.
Attached File: The attached file will have one of the following names:
data
doc
document
file
message
readme
text
followed by:
.bat
.cmd
.doc
.exe
.htm
.pif
.scr
.txt
with one of the following extensions:
.bat
.cmd
.exe
.pif
.scr
Malicious activity
When the worm is executed, it does the following:
1. It drops a copy of itself into the default Windows System folder as LCD32.exe. Another malicious file is dropped to the same location as winstart.pif.
2. To run on every startup, it will modify the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
"LCD" = "sysdir\LCD32.exe"
3. It will also attempts to spread via network shares by generating random usernames and passwords selected from an internal list.
4. The worm also attempts to spread by exploiting several known vulnerabilities. More information about these vulnerabilities is available here:
Buffer overflow in DameWare Mini Remote Control
Windows DCOM RPC Vulnerability
WebDav vulnerability
Windows LSASS vulnerability
5. It then drops copies of itself into several folders used by default by various peer-to-peer (P2P) applications (if found on the system).
6. It will then connect to a specific IRC channel and attempt to send itself to all users connected to it.
7. The worm will also attempt to send itself via instant messenger applications such as MSN Messenger or Windows Messenger.
8. It will then connect to an IRC server, connect to a pre-determined channel and listen for remote commands. A hacker operating from a remote location can take over infected systems in this manner.
9. The worm will also attempt to terminate security related applications found on the system.
10. Finally, the worm will harvest the system for email addresses and send copies of itself to all contacts found (although some addresses may be avoided by the worm).
eSafe Users
eSafe users are protected against this vandal using the latest vandal/virus update.
A new vandal/virus update is available.
Update date: April 30, 2006
Update version: SV150
eSafe Gateway and eSafe Mail Users
Your product will be automatically updated.
You can also use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions is available from here.
|
