Viriipedia Virus Description

Win32/Mytob.AX

Created: 2007-06-25, 20:34:22
Last updated on: 2010-11-26, 09:30:52

Platform:	Win32	Type:	worm	Size:	50838
Date:	2005-04-19

Compressor: UPack
Language: Visual C++
Endangered operating system(s): Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000 all...
Non-endangered operating system(s): Windows 3.xx, DOS, Linux, Unix, Solaris all...

Naming

The different antivirus applications use different names for the individual viruses and worms. Sometimes an antivirus application identifies the same individual malware using different names for different copies or different viruses and worms are identified with the same name. The informative list below contains the names for the malware given by the most popular antivirus applications. The names can vary using the different versions of the same antivirus application.

antivirus	naming
Avast	Win32:Mytob-AW
AVG	I-Worm/Mytob.BF
BitDefender	Win32.Worm.Mytob.M
e-Trust	Win32/Mytob.BI
F-PROT	W32/Mytob.BW@mm
F-Secure	Net-Worm.Win32.Mytob.m
Ikarus	Net-Worm.Win32.Mytob
Kaspersky	Net-Worm.Win32.Mytob.m
McAfee	W32/Mytob.gen@MM(Virus)
Microsoft	Win32/Mytob.Z@mm
NOD32 (ESET)	Win32/Mytob.AX
Norton Antivirus	W32.Mytob.AH@mm
Panda	W32/Mytob.AK.worm
Rising Antivirus	Worm.Mytob.bq
Sophos	W32/Mytob-BX
Trend Micro	WORM_MYTOB.BX
VirusBuster	I-Worm.Mytob.BL

Installation

The main purpose of viruses and worms spreading on the Internet and local networks is to infect another computer. After this infection malware can modify the system and after a reboot process the malware code can be launched. For this purpose malware usually creates files in the operating system's area and modify the registry. According to this modification of the registry the operating system will execute the malware code as well. Besides, it is possible that they create files in other area (directory) of the file system. It is also possible that viruses and worms create AUTORUN.INF files in the root directories of the drives. In this case - according to the default settings of Windows - it automatically executes the malware once the user opens the root directory of the particular drive.

The worm creates the following files:

In the Windows System32 folder (default: C:\Windows\System32):

taskgmr.exe
2pac.txt
bingoo.exe

In the root folder of the drive(s):

funny_pic.scr
hellmsn.exe
my_photo2005.scr
see_this!!.scr

Win32/Mytob.AX worm creates the following entries in the registry or modifies it (if it exists already):

[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa] "WINRUN"="taskgmr.exe"
[HKEY_CURRENT_USER\Software\Microsoft\OLE] "WINRUN"="taskgmr.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "WINRUN"="taskgmr.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole] "WINRUN"="taskgmr.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunS
ervices] "WINRUN"="taskgmr.exe"
more...

Malware can infect other computers using the shared folders. In this case the inquisitive user sitting in the front of the other machine can easily launch the code of the malware.

Win32/Mytob.AX worm uses the following folder as shared folder:

ipc$
e$
profiles$
SYSVOL
NETLOGON
more...

E-mail messages

The main aim of worms spreading in e-mail messages is to infect other computers. For this purpose they create and send e-mail messages to various e-mail addresses. The body of these messages usually include the code of the worm, but it is also possible that only a link is attached into the body and the user downloads the code of the worm. E-mail worms can create e-mail messages with various parameters.

Win32/Mytob.AX worm in order to spread creates e-mail messages and it is used for propagating itself.

For a better spreading e-mail worms and viruses use the attacked computer not only for forwarding its code but for searching potential e-mail addresses. These e-mail addresses are used as the addressee of the e-mail message and/or as the sender. Thus the sender address is modified by the malware.

Win32/Mytob.AX worm searches for e-mail addresses in the Temporary Internet Files directory.

Win32/Mytob.AX worm searches for e-mail addresses in the files with one of the following extensions:

adb
asp
dbx
htm
php
more...

In order to send e-mail messages viruses and worms try to find the used SMTP server on the actual local area network.

Win32/Mytob.AX worm tries to use the actual domain name and the following prefixes as the SMTP server to send e-mail messages:

gate.
ns.
relay.
mail1.
mxs.
more...

The worm uses the Registry entry [HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts] to find an SMTP server.

The characteristics of the e-mail messages are the following:

Sender	The sender of the letter can be created using different methods. The possibilities are the following: The user name in the sender e-mail address can be one of the following: sandra lolita britney bush linda more... sandra lolita britney bush linda julie jimmy jerry helen debby claudia brenda anna madmax brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael alex john less... The worm can use the following domain names to create the sender e-mail address: aol.com cia.gov fbi.gov hotmail.com juno.com msn.com yahoo.com aol.com cia.gov fbi.gov hotmail.com juno.com msn.com yahoo.com The worm collects e-mail addresses from the infected or previously infected computers in order to use as sender e-mail address.
Addressee	The worm sends the e-mail messages to the collected addresses. The worm does not send infected email messages to the addresses containing one of the following strings: accoun admin anyone bat bugs more... accoun admin anyone bat bugs ca certific contact feste gold-certs help icrosoft info listserv me no nobody noone not nothing ntivi page postmaster privacy rating root samples service site soft somebody someone submit support the webmaster you your .edu .gov .mil abuse acketst arin. avp berkeley borlan bsd example fcn fido foo. gnu google gov. hotmail iana ibm.com icrosof ietf inpris isc.o isi.e kernel linux math mit.e mozilla msn. mydomai nodomai panda pgp rfc-ed ripe. ruslis secur sendmail sopho syma tanford.e unix usenet utgers.ed less...
Subject	The infected e-mail messages can have different Subjects. The possibilities are the following: The possible Subjects of the infected e-mail message are: ERROR Error GOOD DAY Good day HELLO more... ERROR Error GOOD DAY Good day HELLO Hello hello MAIL DELIVERY SYSTEM Mail Delivery System MAIL TRANSACTION FAILED Mail Transaction Failed Sensitive information inside F-R-E-E. American Idol Screen Saver Important documents less... The worm can use a randomly generated text for the Subject of the infected e-mail message. The worm can create infected e-mail messages by having a blank Subject field.
Attachment	The attachment of the e-mail message sent by the worm can be of different types. The possibilities are the following: The name of the attachment of the e-mail message sent by the worm can be one of the following: body data doc document file more... body data doc document file message readme test text less... The worm can put together the name of the attachment of the outgoing infected e-mail message from randomly selected characters. The file extension of the attachment of the e-mail message sent by the worm can be one of the following: bat cmd exe pif scr more... bat cmd exe pif scr zip doc htm txt tmp less...

Security holes, vulnerabilities

A virus or worm that circulates on the Internet can utilize not only the interactivity of the user but the unpatched security holes of the operating system or the applications. Utilizing the vulnerabilities it is capable to take control over the attacked computer.

To help its distribution Win32/Mytob.AX worm utilizes the vulnerability known as Microsoft MS04-011 .

The buffer overflow error in the LSASS.EXE (Local Security Authority Subsystem Service) program enables the remote running of code in the affected systems, thus the attacker can take a remote control over the computer.

Attacks on the Internet

Viruses and worms can attack other computers on the Internet and disable their use.

The worm modifies the hosts file making the following web pages unreachable:

avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
more...

Backdoor

Viruses and worms more and more frequently open backdoors on the attacked computer. Thus the attacker can take full control over the machine. In this case the attacker can do whatever s/he wants on the computer: run or stop programs and applications, upload or download files, steal passwords and access codes.

Win32/Mytob.AX worm opens a backdoor on TCP port number 445 .

A tool to open the backdoor of the attacked machine can be the installation of an IRC client. Via this IRC connection the attacker can control the computer remotely. It is also possible to send the code of the malware via the IRC connection.

Win32/Mytob.AX worm tries to connect to the 19.xxor.biz IRC server and to #m-rl4 channel.

The first target of viruses and worms on the attacked computer is the shared folders. Thus they can spread on the local area networks as well as on peer-to-peer (P2P) connections. It is possible also to try to establish connections to other shared folders not only on LAN.

It uses passwords from the following list:

Cisco
CISCO
ROOT
Root
oeminstall
more...