Win32/Mytob.AX
Created: 2007-06-25,
20:34:22
Compressor: UPack Language: Visual C++ Endangered operating system(s): Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000 all... Non-endangered operating system(s): Windows 3.xx, DOS, Linux, Unix, Solaris all... Naming The different antivirus applications use different names for the individual viruses and worms. Sometimes an antivirus application identifies the same individual malware using different names for different copies or different viruses and worms are identified with the same name. The informative list below contains the names for the malware given by the most popular antivirus applications. The names can vary using the different versions of the same antivirus application.
Installation The main purpose of viruses and worms spreading on the Internet and local networks is to infect another computer. After this infection malware can modify the system and after a reboot process the malware code can be launched. For this purpose malware usually creates files in the operating system's area and modify the registry. According to this modification of the registry the operating system will execute the malware code as well. Besides, it is possible that they create files in other area (directory) of the file system. It is also possible that viruses and worms create AUTORUN.INF files in the root directories of the drives. In this case - according to the default settings of Windows - it automatically executes the malware once the user opens the root directory of the particular drive.The worm creates the following files: In the Windows System32 folder (default: C:\Windows\System32): In the root folder of the drive(s): Win32/Mytob.AX worm creates the following entries in the registry or modifies it (if it exists already): Malware can infect other computers using the shared folders. In this case the inquisitive user sitting in the front of the other machine can easily launch the code of the malware. Win32/Mytob.AX worm uses the following folder as shared folder: E-mail messages The main aim of worms spreading in e-mail messages is to infect other computers. For this purpose they create and send e-mail messages to various e-mail addresses. The body of these messages usually include the code of the worm, but it is also possible that only a link is attached into the body and the user downloads the code of the worm. E-mail worms can create e-mail messages with various parameters.Win32/Mytob.AX worm in order to spread creates e-mail messages and it is used for propagating itself. For a better spreading e-mail worms and viruses use the attacked computer not only for forwarding its code but for searching potential e-mail addresses. These e-mail addresses are used as the addressee of the e-mail message and/or as the sender. Thus the sender address is modified by the malware.Win32/Mytob.AX worm searches for e-mail addresses in the Temporary Internet Files directory. Win32/Mytob.AX worm searches for e-mail addresses in the files with one of the following extensions: In order to send e-mail messages viruses and worms try to find the used SMTP server on the actual local area network.Win32/Mytob.AX worm tries to use the actual domain name and the following prefixes as the SMTP server to send e-mail messages: The worm uses the Registry entry [HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts] to find an SMTP server. The characteristics of the e-mail messages are the following:
Security holes, vulnerabilities A virus or worm that circulates on the Internet can utilize not only the interactivity of the user but the unpatched security holes of the operating system or the applications. Utilizing the vulnerabilities it is capable to take control over the attacked computer.To help its distribution Win32/Mytob.AX worm utilizes the vulnerability known as Microsoft MS04-011 . The buffer overflow error in the LSASS.EXE (Local Security Authority Subsystem Service) program enables the remote running of code in the affected systems, thus the attacker can take a remote control over the computer.Attacks on the Internet Viruses and worms can attack other computers on the Internet and disable their use.The worm modifies the hosts file making the following web pages unreachable: Backdoor Viruses and worms more and more frequently open backdoors on the attacked computer. Thus the attacker can take full control over the machine. In this case the attacker can do whatever s/he wants on the computer: run or stop programs and applications, upload or download files, steal passwords and access codes.Win32/Mytob.AX worm opens a backdoor on TCP port number 445 . A tool to open the backdoor of the attacked machine can be the installation of an IRC client. Via this IRC connection the attacker can control the computer remotely. It is also possible to send the code of the malware via the IRC connection.Win32/Mytob.AX worm tries to connect to the 19.xxor.biz IRC server and to #m-rl4 channel. The first target of viruses and worms on the attacked computer is the shared folders. Thus they can spread on the local area networks as well as on peer-to-peer (P2P) connections. It is possible also to try to establish connections to other shared folders not only on LAN.It uses passwords from the following list: |