W32.Mytob.IM@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm also spreads through the network by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).
When W32.Mytob.IM@mm is executed, it performs the following actions:
1. Copies itself as %System%\wrmana32.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Adds the value:
"Windows NetDDe" = "wrmana32.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
Runonce
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Runonce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that the risk runs every time Windows starts.
3. Creates a service with the following properties:
Service name: shit
Display name: Windows NetDDe
4. Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHIT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\shit
5. Adds the values:
"*NewlyCreated*" = "0x00000000"
"ActiveService" = "shit"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHIT\
0000\Control
6. Adds the values:
"Service" = "shit"
"Legacy" = "0x00000001"
"ConfigFlags" = "0x00000000"
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "Windows NetDDe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHIT\0000
7. Adds the value:
"NextInstance" = "0x00000001"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHIT
8. Adds the values:
"0" = "Root\LEGACY_SHIT\0000"
"Count" = "0x00000001"
"NextInstance" = "0x00000001"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\shit\Enum
9. Adds the values:
"Type" = "0x00000020"
"Start" = "00000004"
"ErrorControl" = "0x00000001"
"ImagePath" = "C:\WINNT\System32\wrmana32.exe" -netsvcs"
"DisplayName" = "Windows NetDDe"
"ObjectName" = "LocalSystem"
"FailureActions" = "FF FF FF FF 00 00 00 00 00 00 00 00 01 00 00 00 00 07 09 00 01 00 00 00 01 00 00 00"
"DeleteFlag" = "0x00000001"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\shit
10. Adds the value:
"Security" = "01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 A5 4E 00 0C 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 29 6B 99 DE 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 29 6B 99 DE 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\shit\Security
11. Gathers email addresses from the Windows Address Book and from files with the following extensions:
* .adb
* .asp
* .cgi
* .dbx
* .htm
* .html
* .jsp
* .php
* .sht
* .tbb
* .xml
12. Generates additional addresses using names from the list below combined with domain names obtained from the Windows Address Book:
* adam
* alex
* andrew
* anna
* bill
* bob
* brenda
* brent
* brian
* claudia
* dan
* dave
* david
* debby
* frank
* fred
* george
* helen
* jack
* james
* jane
* jerry
* jim
* jimmy
* joe
* john
* jose
* josh
* julie
* kevin
* leo
* linda
* maria
* mary
* matt
* michael
* mike
* paul
* peter
* ray
* robert
* sales
* sam
* sandra
* serg
* smith
* stan
* steve
* ted
* tom
13. Avoids sending itself to email addresses that contain any of the following strings:
* .gov
* .mil
* abuse
* accoun
* acketst
* admin
* anyone
* arin.
* avp
* berkeley
* borlan
* bugs
* ca
* certific
* contact
* example
* feste
* fido
* foo.
* gold-certs
* google
* gov.
* help
* hotmail
* iana
* ibm.com
* icrosof
* icrosoft
* ietf
* info
* inpris
* isc.o
* isi.e
* kernel
* linux
* listserv
* math
* me
* mozilla
* msn.
* mydomai
* no
* nobody
* nodomai
* noone
* not
* nothing
* ntivi
* page
* panda
* pgp
* postmaster
* privacy
* rating
* rfc-ed
* ripe.
* root
* ruslis
* samples
* secur
* sendmail
* service
* site
* soft
* somebody
* someone
* sopho
* spam
* spm
* submit
* support
* syma
* tanford.e
* the.bat
* unix
* usenet
* utgers.ed
* webmaster
* you
* your
14. Appends the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
* gate.
* mail.
* mail1.
* mx.
* mx1.
* mxs.
* ns.
* relay.
* smtp.
15. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:
From:
One of the following:
* accounts
* admin
* administrator
* info
* mail
* register
* service
* support
* webmaster
The worm may also spoof a From address from one of the addresses found on the compromised computer.
Subject:
One of the following:
* Notice of account limitation
* Email Account Suspension
* Security measures
* You are banned!!!
* We have suspended your account
* Members Support
* Important Notification
* Warning Message: Your services near to be closed.
* Your Account is Suspended For Security Reasons
* *DETECTED* Online User Violation
* *WARNING* Your email account is suspended
* Your Account is Suspended
Message:
One of the following:
* Dear [DOMAIN] Member,
We have temporarily [REMOVED] Support Team
=======================
* Dear [DOMAIN] Member,
Your e-mail acc [REMOVED] Team
=============================
* Some information about your [DOMAIN] account is attached.
The [DOMAIN] Support Team
=============================
Where [DOMAIN] is the domain part of the recipient's email address and [EMAIL] is the recipient's email address.
Attachment:
One of the following:
* account-details.zip
* account-info.zip
* account-report.zip
* document.zip
* email-details.zip
* important-details.zip
* information.zip
* readme.zip
The attached zip file contains the file:
[ZIP FILENAME].[1ST EXTENSION][MANY SPACES].[2ND EXTENSION]
Note:
* [ZIP FILENAME] is the name of the attached zip file
* [1ST EXTENSION] is one of the following:
1. doc
2. htm
3. tmp
4. txt
* [2ND EXTENSION] is one of the following:
1. bat
2. cmd
3. exe
4. pif
5. scr
16. Connects to the remote server mystery.m0rtus.info on TCP port 6667.
17. Listens for commands that allow the remote attacker to perform any of the following actions:
* Download/Execute files
* Obtain system information such as CPU type, OS version, avilable memory, etc.
* Remove, update, or terminate the worm.
* Perform a Denial of Service (DOS) attack.
* Start a proxy server
* Start a FTP server
* Port redirection
18. Spreads by exploiting the the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.im@mm.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\
Runonce
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Runonce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
5. In the right pane, delete the value:
"Windows NetDDe" = "wrmana32.exe"
6. Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHIT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\shit
7. Exit the Registry Editor.
5. To find and stop the service
1. Click Start > Run.
2. Type services.msc, and then click OK.
3. Locate and select the service that was detected.
4. Click Action > Properties.
5. Click Stop.
6. Change Startup Type to Manual.
7. Click OK and close the Services window.
8. Restart the computer.
AlphaOne Technology Support Forums
Author
Logged
