Win32/Mytob [Threat Name] go to Threat
Win32/Mytob.D [Threat Variant Name]
| Category | worm |
Short description
Win32/Mytob.D is a worm that spreads via e-mail and by exploiting a vulnerability in Microsoft Windows . The file is run-time compressed using UPX .
Installation
When executed, the worm copies itself into the %system% folder using the following name:
- wfdmgr.exe
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
- “LSA” = “wfdmgr.exe”
- [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
- “LSA” = “wfdmgr.exe”
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
- “LSA” = “wfdmgr.exe”
The following Registry entries are created:
- [HKLM\Software\Microsoft\OLE]
- “LSA” = “wfdmgr.exe”
- [HKCU\Software\Microsoft\OLE]
- “LSA” = “wfdmgr.exe”
- [HKLM\System\CurrentControlSet\Control\Lsa]
- “LSA” = “wfdmgr.exe”
- [HKCU\System\CurrentControlSet\Control\Lsa]
- “LSA” = “wfdmgr.exe”
Spreading via e-mail
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
- *.wab
- *.adb
- *.tbb
- *.dbx
- *.asp
- *.php
- *.sht
- *.htm
- *.pl
Addresses containing the following strings are avoided:
- .gov
- .mil
- abuse
- accoun
- acketst
- admin
- anyone
- arin.
- avp
- be_loyal:
- berkeley
- borlan
- bsd
- bugs
- certific
- contact
- example
- fcnz
- feste
- fido
- foo.
- fsf.
- gnu
- gold-certs
- gov.
- help
- hotmail
- iana
- ibm.com
- icrosof
- icrosoft
- ietf
- info
- inpris
- isc.o
- isi.e
- kernel
- linux
- listserv
- math
- mit.e
- mozilla
- msn.
- mydomai
- nobody
- nodomai
- noone
- not
- nothing
- ntivi
- page
- panda
- pgp
- postmaster
- privacy
- rating
- rfc-ed
- ripe.
- root
- ruslis
- samples
- secur
- sendmail
- service
- site
- soft
- somebody
- someone
- sopho
- spm
- submit
- support
- syma
- tanford.e
- the.bat
- unix
- usenet
- utgers.ed
- webmaster
- www
- you
- your
- -._!
- -._!@
Some of the following strings may be used to form the sender address:
- adam
- alex
- alice
- andrew
- anna
- bill
- bob
- brenda
- brent
- brian
- claudia
- dan
- dave,
- david
- debby
- fred
- george
- helen
- jack
- james
- jane
- jerry
- jim
- jimmy
- joe
- john
- jose
- julie
- kevin
- leo
- linda
- maria
- mary
- matt
- michael
- mike
- peter
- ray
- robert
- sam
- sandra
- serg
- smith
- stan
- steve
- ted
- tom
Subject of the message is one of the following:
- Error
- Status
- STATUS
- Server Report
- SERVER REPORT
- Mail Transaction Failed
- Mail Delivery System
- hello
- HELLO
- hi
- HI
- test
- TEST
Body of the message is one of the following:
The body can be blank or it may contain random strings.
The attachment is either an executable of the worm, or a ZIP archive containing it.
Its filename is one of the following:
- body
- message
- test
- data
- file
- text
- doc
- readme
- document
If the attachment is an executable file, the name has one of the following extensions:
- bat
- cmd
- exe
- scr
- pif
- zip
A double extension may be used.
The first is one of the following:
- htm
- txt
- doc
The second is one of the following:
- pif
- scr
- exe
Many space characters can be used to separate the two extensions.
Other information
The worm generates random IP addresses.
By connecting to remote machines to port 445 it tries to exploit the LSASS buffer overflow vulnerability [MS04-011] .
If it succeeds, a copy of the worm is retrieved from the attacking machine using FTP protocol.
The worm contains a backdoor.
The worm is able to update itself or execute an arbitrary file.
It can send various information about the infected computer to an attacker.