WORM_MYTOB.LP

Malware type: Worm

Aliases: Email-Worm.Win32.Doombot.b (Kaspersky), W32.Mytob.KU@mm (Symantec), Worm/Mytob.KS (Avira), W32/Mytob-GH (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident worm arrives as an attachment to email messages. The email message usually poses as an account notification in order to trick a user into downloading and executing the attachment.

The email it sends out has the following details:

Subject:(any of the following)
• Notice of account limitation
• Email Account Suspension
• Security measures
• Members Support
• Important Notification
• Warning Message: Your services near to be closed.
• Your Account is Suspended For Security Reasons
• Your password has been successfully updated
• *DETECTED* Online User Violation
• Your Account is Suspended
• Your new account password is approved
• You have successfully updated your password
• Your password has been successfully updated
• Your password has been updated

Message body: (any of the following)
---
Dear user {name of recipient},

You have successfully updated the password of your {random domain name} account.

If you did not authorize this change or if you need assistance with your account, please contact {random domain name} customer service at: {mail@random domain name}

Thank you for using {random domain name}!

The {random domain name} Support Team

%20%20%20 Attachment: No Virus (Clean)
%20%20%20 {random antivirus name} Antivirus - www.{random domain name}.com

---
Dear user {name of recipient},

It has come to our attention that your {random domain name} User Profile ( x ) records are out of date. For further details see the attached document.

Thank you for using {random domain name}!

The {random domain name} Support Team

%20%20%20 Attachment: No Virus (Clean)
%20%20%20 {random domain name} Antivirus - www.{random domain name}.com

---
Dear {random domain name} Member,

We have temporarily suspended your email account {email address }.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.See the details to reactivate your {random domain name} account.

Sincerely,The {random domain name} Support Team

%20%20%20 Attachment: No Virus (Clean)
%20%20%20 {random domain name } Antivirus - www.{random domain name}.com

---
Dear {random domain name} Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,
The {random domain name} Support Team

%20%20%20 Attachment: No Virus (Clean)
%20%20%20 {random domain name} Antivirus - www.{random domain name}.com

Attachment: (any of the following)
• accepted-password
• account-details
• account-info
• account-password
• account-report
• approved-password
• document
• email-details
• email-password
• important-details
• new-password
• password
• readme
• updated-password

(with any of the following extensions)

• BAT
• CMD
• EXE
• PIF
• SCR
• ZIP

This worm has backdoor capabilities. It opens various ports, allowing a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.

Moreover, it prevents affected users from accessing several antivirus and security Web sites by modifying the HOSTS file. It also terminates several processes running in memory.

For additional information about this threat, see:

Description created: Oct. 15, 2005 3:49:22 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 27,480 Bytes

Ports used: Random

Initial samples received on: Oct 15, 2005

Compression type: Upack

Payload 1: Terminates processes

Trigger condition 1: Upon execution

Payload 2: Modifies HOSTS file

Trigger condition 1: Upon execution

Payload 3: Compromises system security

Trigger condition 1: Upon execution

Details:

Arrival and Installation

This worm arrives as an attachment to an email message. Upon execution, it drops a copy of itself as D.EXE in the Windows system folder. It then creates the following registry entries to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
SYSTEM = "d.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
SYSTEM = "d.exe"

It also disables the Internet Connection Sharing service by modifying the following entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess
Start = "dword:00000004"

(Note: The default value is Start = "dword:00000003".)

Propagation Technique

This worm propagates by sending a copy of itself as an attachment to email messages, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

The email it sends out contain the following details:

Subject:(any of the following)
• Notice of account limitation
• Email Account Suspension
• Security measures
• Members Support
• Important Notification
• Warning Message: Your services near to be closed.
• Your Account is Suspended For Security Reasons
• Your password has been successfully updated
• *DETECTED* Online User Violation
• Your Account is Suspended
• Your new account password is approved
• You have successfully updated your password
• Your password has been successfully updated
• Your password has been updated

Message body: (any of the following)
---
Dear user {name of recipient},

You have successfully updated the password of your {random domain name} account.

If you did not authorize this change or if you need assistance with your account, please contact {random domain name} customer service at: {mail@random domain name}

Thank you for using {random domain name}!

The {random domain name} Support Team

%20%20%20 Attachment: No Virus (Clean)
%20%20%20 {random antivirus name} Antivirus - www.{random domain name}.com

---
Dear user {name of recipient},

It has come to our attention that your {random domain name} User Profile ( x ) records are out of date. For further details see the attached document.

Thank you for using {random domain name}!

The {random domain name} Support Team

%20%20%20 Attachment: No Virus (Clean)
%20%20%20 {random domain name} Antivirus - www.{random domain name}.com

---
Dear {random domain name} Member,

We have temporarily suspended your email account {email address }.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.See the details to reactivate your {random domain name} account.

Sincerely,The {random domain name} Support Team

%20%20%20 Attachment: No Virus (Clean)
%20%20%20 {random domain name } Antivirus - www.{random domain name}.com

---
Dear {random domain name} Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,
The {random domain name} Support Team

%20%20%20 Attachment: No Virus (Clean)
%20%20%20 {random domain name} Antivirus - www.{random domain name}.com

Attachment: (any of the following)
• accepted-password
• account-details
• account-info
• account-password
• account-report
• approved-password
• document
• email-details
• email-password
• important-details
• new-password
• password
• readme
• updated-password

(with any of the following extensions)

• BAT
• CMD
• EXE
• PIF
• SCR
• ZIP

It gathers target email addresses from the Windows Address Book (WAB). It may also generate email addresses by using any of the following names appended with a domain name which it copies from previously harvested email addresses:

  • andrew
  • brenda
  • brent
  • brian
  • claudia
  • david
  • debby
  • frank
  • george
  • helen
  • james
  • jerry
  • jimmy
  • julie
  • kevin
  • linda
  • maria
  • michael
  • peter
  • robert
  • sales
  • sandra
  • smith
  • steve

It avoids sending messages to email addresses that contain any of the following strings:

  • anyone
  • contact
  • feste
  • gold-certs
  • nobody
  • noone
  • nothing
  • postmaster
  • privacy
  • rating
  • samples
  • service
  • somebody
  • someone
  • submit
  • the.bat
  • webmaster

It also specifically avoids sending email to addresses containing any of the following substrings in the email name and domain name:

Name:

  • abuse
  • accoun
  • admin
  • administrato
  • certific
  • google
  • icrosoft
  • linux
  • listserv
  • ntivi
  • register
  • secur
  • service
  • support

Domain name:

  • acketst
  • arin.
  • berkeley
  • borlan
  • example
  • google
  • hotmail
  • ibm.com
  • icrosof
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • mit.e
  • mozilla
  • mydomai
  • nodomai
  • panda
  • rfc-ed
  • ripe.
  • ruslis

It sends its email messages using SMTP. It does this by checking for the default SMTP server in the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

If it does not find a default mail server, it queries the message exchange servers of the gathered email addresses by appending the domain names of the said addresses with the following strings:

  • gate.
  • mail.
  • mail1.
  • mx.
  • mx1.
  • mxs.
  • ns.
  • relay.
  • smtp.

Backdoor Capabilities

This worm also has backdoor capabilities, which enable it to connect to an Internet Relay Chat (IRC) server. It opens a random port and joins an IRC channel, where it listens for commands coming from a remote malicious user. Once connected, the remote malicious user can issue the following commands on an affected system:

HOSTS File Modification

This worm also modifies the system's HOSTS file, which contains host name to IP address mappings. It appends a list of Web site addresses and directs it to the loopback address (127.0.0.1). This prevents a user from accessing the specified locations. Instead, the user is redirected to the local Web site of the infected system.

The said routine is done so that the following antivirus-related Web sites can no longer be accessed by the user:

Process Termination

This worm is also capable of terminating the following processes running in the system:

Other Details

This worm affects systems running on Windows 95, 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Millette Regulacio


SOLUTION


Minimum scan engine version needed: 7.000

Pattern file needed: 2.904.01

Pattern release date: Oct 19, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE the path and file name of all files detected as WORM_MYTOB.LP.

Trend Micro customers need to download the latest virus pattern file before scanning their system. Other users can use Housecall, Trend Micro's online virus scanner.

Terminating the Malware Program

Since this malware terminates the Windows Task Manager, it is necessary to use third party process viewers such as Process Explorer. You will need the name(s) of the file(s) detected earlier.

If the process you are looking for is not in the list displayed by Process Explorer, proceed to the succeeding solution set.

  1. Download Process Explorer.
  2. Extract the contents of the compressed (ZIP) file to a location of your choice.
  3. Execute Process Explorer by double-clicking procexp.exe.
  4. In the Process Explorer window, locate the malware file(s) detected earlier.
  5. Right-click one of the detected files, then click Kill Process Tree.
  6. Do the same for all detected malware files in the list of running processes.
  7. Close Process Explorer.

Editing the Registry

This malware modifies the system's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    SYSTEM = "d.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    SYSTEM = "d.exe"

Restoring Modified Entries from the Registry

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet> Services>SharedAccess
  2. In the right panel, locate the entry:
    Start = "dword:00000004"
  3. Right-click on this registry entry and choose Modify.
    Change the value of this entry to:
    Start = "dword:00000003"
  4. Close Registry Editor.

Removing Malware Entries from the HOSTS File

Deleting malware entries from the HOSTS file removes all malware-made changes on host name association.

  1. Open the following file using a text editor (such as NOTEPAD):
    • On Windows 95, 98, and ME:
      %Windows%\HOSTS
    • On Windows NT, 2000, XP, and Server 2003:
      %System%\drivers\etc\HOSTS
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
  2. Delete the following entries:
    • 127.0.0.1 www.symantec.com
    • 127.0.0.1 securityresponse.symantec.com
    • 127.0.0.1 symantec.com
    • 127.0.0.1 www.sophos.com
    • 127.0.0.1 sophos.com
    • 127.0.0.1 www.mcafee.com
    • 127.0.0.1 mcafee.com
    • 127.0.0.1 liveupdate.symantecliveupdate.com
    • 127.0.0.1 www.viruslist.com
    • 127.0.0.1 viruslist.com
    • 127.0.0.1 viruslist.com
    • 127.0.0.1 f-secure.com
    • 127.0.0.1 www.f-secure.com
    • 127.0.0.1 kaspersky.com
    • 127.0.0.1 kaspersky-labs.com
    • 127.0.0.1 www.avp.com
    • 127.0.0.1 www.kaspersky.com
    • 127.0.0.1 avp.com
    • 127.0.0.1 www.networkassociates.com
    • 127.0.0.1 networkassociates.com
    • 127.0.0.1 www.ca.com
    • 127.0.0.1 ca.com
    • 127.0.0.1 mast.mcafee.com
    • 127.0.0.1 my-etrust.com
    • 127.0.0.1 www.my-etrust.com
    • 127.0.0.1 download.mcafee.com
    • 127.0.0.1 dispatch.mcafee.com
    • 127.0.0.1 secure.nai.com
    • 127.0.0.1 nai.com
    • 127.0.0.1 www.nai.com
    • 127.0.0.1 update.symantec.com
    • 127.0.0.1 updates.symantec.com
    • 127.0.0.1 us.mcafee.com
    • 127.0.0.1 liveupdate.symantec.com
    • 127.0.0.1 customer.symantec.com
    • 127.0.0.1 rads.mcafee.com
    • 127.0.0.1 trendmicro.com
    • 127.0.0.1 pandasoftware.com
    • 127.0.0.1 www.pandasoftware.com
    • 127.0.0.1 www.trendmicro.com
    • 127.0.0.1 www.grisoft.com
    • 127.0.0.1 www.microsoft.com
    • 127.0.0.1 microsoft.com
    • 127.0.0.1 www.virustotal.com
    • 127.0.0.1 virustotal.com
    • 127.0.0.1 www.amazon.com
    • 127.0.0.1 www.amazon.co.uk
    • 127.0.0.1 www.amazon.ca
    • 127.0.0.1 www.amazon.fr
    • 127.0.0.1 www.paypal.com
    • 127.0.0.1 paypal.com
    • 127.0.0.1 moneybookers.com
    • 127.0.0.1 www.moneybookers.com
    • 127.0.0.1 www.ebay.com
    • 127.0.0.1 ebay.com
  3. Save the file and close the text editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your system normally before performing the following solution.

Scan your system with Trend Micro antivirus and delete files detected as WORM_MYTOB.LP. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.