W32.Mytob.JN@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.
When W32.Mytob.JN@mm is executed, it performs the following actions:
1. Creates a copy of itself as %System%\winsys.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Adds the value:
"Windows System" = "winsys.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
so that it restarts the worm after a reboot, but it fails to do so.
3. Modifies the value:
"Start" = "4"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
to disable the Shared Access service in Windows 2000/XP.
4. Gathers email addresses from the Windows Address Book and from files with the following extensions:
* .txt
* .htm
* .sht
* .jsp
* .cgi
* .xml
* .php
* .asp
* .dbx
* .tbb
* .adb
* .html
* .wab
5. Avoids sending itself to email addresses that contain any of the following strings:
* abuse
* accoun
* acketst
* admin
* anyone
* arin.
* be_loyal:
* berkeley
* borlan
* certific
* contact
* example
* feste
* gold-certs
* google
* hotmail
* ibm.com
* icrosof
* icrosoft
* inpris
* isc.o
* isi.e
* kernel
* linux
* listserv
* mit.e
* mozilla
* mydomai
* nobody
* nodomai
* noone
* nothing
* ntivi
* panda
* postmaster
* privacy
* rating
* rfc-ed
* ripe.
* ruslis
* samples
* secur
* sendmail
* service
* somebody
* someone
* sopho
* submit
* support
* tanford.e
* usenet
* utgers.ed
* webmaster
6. May check for valid SMTP servers by prepending one of the following strings to the gathered addresses:
* mx
* mail
* smtp
* mx1
* mxs
* mail1
* relay
* ns
* gate
7. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:
From: admin@[RECIPIENT DOMAIN]
Subject: Account Alert
Message:
Dear Valued Member,
According to our terms of service, you will have to confirm your e-mail by the following link or your account will be suspended within 24 hours for security reasons.
http://www.[RECIPIENT EMAIL ADDRESS]/confirm.php?email=[RECIPIENT DOMAIN]
After following the instructions in the sheet, your account will not be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any inconvenience.
Sincerey,[DOMAIN NAME] Security Department
Note: The actual link is to [http://]70.128.253.219:90/[REMOVED]/Confirm_Sheet.pif, which is not available at the time of writing. The [DOMAIN NAME] is the top level domain removed and first letter capitalised.
8. Connects to 31337.oharra.biz on TCP port 4891 and listens for commands that allow the remote attacker to perform any of the following actions:
* Execute files
* Download files
* Perform other IRC commands determined by the attacker
Blocks access to several security-related Web sites by appending the following text to the hosts file:
127.0.0.1
www.symantec.com127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1
www.sophos.com127.0.0.1 sophos.com
127.0.0.1
www.mcafee.com127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1
www.viruslist.com127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1
www.f-secure.com127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1
www.avp.com127.0.0.1
www.kaspersky.com127.0.0.1 avp.com
127.0.0.1
www.networkassociates.com127.0.0.1 networkassociates.com
127.0.0.1
www.ca.com127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1
www.my-etrust.com127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1
www.nai.com127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1
www.pandasoftware.com127.0.0.1
www.trendmicro.com127.0.0.1
www.grisoft.com127.0.0.1
www.microsoft.com127.0.0.1 microsoft.com
127.0.0.1
www.virustotal.com127.0.0.1 virustotal.com
127.0.0.1
www.amazon.com127.0.0.1
www.amazon.co.uk127.0.0.1
www.amazon.ca127.0.0.1
www.amazon.fr127.0.0.1
www.paypal.com127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1
www.moneybookers.com127.0.0.1
www.ebay.com127.0.0.1 ebay.com
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.jn@mm.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
5. In the right pane, delete the value:
"Windows System" = "winsys.exe"
6. Exit the Registry Editor.
5. To reenable the SharedAccess service (Windows 2000/XP only)
The SharedAccess service is responsible for maintaining Internet Connection Sharing and the Windows Firewall/Internet Connection Firewall applications in Windows. (The presence and names of these applications vary depending on the operating system and service pack you are using.) To protect your computer and maintain network functionality, re-enable this service if you are using any of these programs.
Windows XP Service Pack 2
If you are running Windows XP with Service Pack 2 and are using the Windows Firewall, the operating system will alert you when the SharedAccess service is stopped, by displaying an alert balloon saying that your Firewall status is unknown. Perform the following steps to ensure that the Windows Firewall is re-enabled:
1. Click Start > Control Panel.
2. Double-click the Security Center.
3. Ensure that the Firewall security essential is marked ON.
Note: If the Firewall security essential is marked on, your Windows Firewall is on and you do not need to continue with these steps.
If the Firewall security essential is not marked on, click the "Recommendations" button.
4. Under "Recommendations," click Enable Now. A window appears telling you that the Windows Firewall was successfully turned on.
5. Click Close, and then click OK.
6. Close the Security Center.
Windows 2000 or Windows XP Service Pack 1 or earlier
Complete the following steps to re-enable the SharedAccess service:
1. Click Start > Run.
2. Type services.msc
Then click OK.
3. Do one of the following:
* Windows 2000: Under the Name column, locate the "Internet Connection Sharing (ICS)" service and double-click it.
* Windows XP: Under the Named column, locate the "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" service and double-click it.
4. Under "Startup Type:", select "Automatic" from the drop-down menu.
5. Under "Service Status:", click the Start button.
6. Once the service has completed starting, click OK.
7. Close the Services window.
AlphaOne Technology Support Forums
Author
Logged
