W32.Mytob.JS@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.
When W32.Mytob.JS@mm is executed, it performs the following actions:
1. Copies itself as %System%\servce.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Adds the value:
"WINDOWS SYSTEM" = "servce.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
so that it runs every time Windows starts.
3. Modifies the value:
"Start" = "4"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
to disable the Shared Access service in Windows 2000/XP.
Note: The worm will recreate these registry subkeys if they are deleted.
4. Creates the mutex named "H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H", so that only one instance of the worm is run on the compromised computer:
5. Gathers email addresses from the Windows Address Book and from the following locations:
* %Windir%\Temporary Internet Files
* %Userprofile%\Local Settings\Temporary Internet Files
* %System%
6. Gathers email addresses from files with the following extensions on all local drives from C to Y:
* .adb
* .asp
* .cgi
* .dbx
* .htm
* .html
* .jsp
* .php
* .sht
* .tbb
* .txt
* .wab
* .xml
Avoids sending itself to email addresses that contain any of the following strings:
* abuse
* accoun
* admin
* administrator
* anyone
* bsd
* bugs
* certific
* contact
* spam
* feste
* gold-certs
* google
* help
* icrosoft
* info
* linux
* listserv
* mail
* nobody
* noone
* not
* nothing
* ntivi
* page
* postmaster
* privacy
* rating
* register
* root
* samples
* secur
* service
* site
* soft
* somebody
* someone
* spm
* submit
* support
* the.bat
* unix
* webmaster
* www
* you
* your
Avoids sending itself to email addresses that contain any of the following strings in the domain name:
* .gov
* .mil
* acketst
* arin.
* avp
* berkeley
* borlan
* bsd
* example
* fido
* foo.
* fsf.
* gnu
* google
* gov.
* hotmail
* iana
* ibm.com
* icrosof
* ietf
* inpris
* isc.o
* isi.e
* kernel
* linux
* math
* mit.e
* mozilla
* msn.
* mydomai
* nodomai
* panda
* pgp
* rfc-ed
* ripe.
* ruslis
* secur
* sendmail
* sopho
* syma
* tanford.e
* unix
* usenet
* utgers.ed
7. May append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
* mx.
* mail.
* smtp.
* mx1.
* mxs.
* mail1.
* relay.
* ns.
* gate.
8. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:
From:
One of the following:
* adam
* alex
* andrew
* anna
* bill
* bob
* brenda
* brent
* brian
* claudia
* dan
* dave
* david
* debby
* frank
* fred
* george
* helen
* jack
* james
* jane
* jerry
* jim
* jimmy
* joe
* john
* jose
* josh
* julie
* kevin
* leo
* linda
* maria
* mary
* matt
* michael
* mike
* paul
* peter
* ray
* robert
* sales
* sam
* sandra
* serg
* smith
* stan
* steve
* ted
* tom
The worm may also spoof a From address from one of the addresses found on the compromised computer.
Subject:
One of the following:
* Your password has been updated
* Your password has been successfully updated
* You have successfully updated your password
* Your new account password is approved
* Your Account is Suspended
* *DETECTED* Online User Violation
* Your Account is Suspended For Security Reasons
* Warning Message: Your services near to be closed.
* Important Notification
* Members Support
* Security measures
* Email Account Suspension
* Notice of account limitation
Message:
One of the following:
* Dear user [USER NAME],
You have successfully updated the password of your [DOMAIN] account.
If you did not authorize this change or if you need assistance with your account, please contact [DOMAIN] customer service at: [SPOOFED EMAIL]
Thank you for using [DOMAIN]!
The [DOMAIN] Support Team
+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]
* Dear user [USER NAME],
It has come to our attention that your [DOMAIN] User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using [DOMAIN]!
The [DOMAIN] Support Team
+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]
* Dear [DOMAIN] Member,
We have temporarily suspended your email account [EMAIL].
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your [DOMAIN] account.
Sincerely,The [DOMAIN] Support Team
+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]
* Dear [DOMAIN] Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The [DOMAIN] Support Team
+++ Attachment: No Virus found
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]
Note: Where [DOMAIN] is the domain part of the recipient's email address, [USER NAME] is the username part of the recipient's email address, [SPOOFED EMAIL] is a spoofed email address on the same domain, and [EMAIL] is the recipient's email address.
Attachment:
One of the following:
* updated-password
* email-password
* new-password
* password
* approved-password
* account-password
* accepted-password
* important-details
* account-details
* email-details
* account-info
* document
* readme
* account-report
with one of the following extensions:
* .bat
* .cmd
* .exe
* .pif
* .scr
Note: The attachment may also be a .zip file containing a copy of the worm with two file extensions. The copy of the worm will have .doc, .htm, or .txt as the first extension, and .exe, .pif, or .scr as the second extension.
9. Connects to an IRC channel on the server myh.0ffice.info on TCP port 6667. The worm listens for commands that allow the remote attacker to perform any of the following actions:
* Execute files
* Download files
* Perform other IRC commands determined by the attacker
* Reboot the compromised computer
10. Blocks access to several security-related Web sites by appending the following text to the hosts file:
127.0.0.1
www.symantec.com 127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1
www.sophos.com 127.0.0.1 sophos.com
127.0.0.1
www.mcafee.com 127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1
www.viruslist.com 127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1
www.f-secure.com 127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1
www.avp.com 127.0.0.1
www.kaspersky.com 127.0.0.1 avp.com
127.0.0.1
www.networkassociates.com 127.0.0.1 networkassociates.com
127.0.0.1
www.ca.com 127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1
www.my-etrust.com 127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1
www.nai.com 127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1
www.pandasoftware.com 127.0.0.1
www.trendmicro.com 127.0.0.1
www.grisoft.com 127.0.0.1
www.microsoft.com 127.0.0.1 microsoft.com
127.0.0.1
www.virustotal.com 127.0.0.1 virustotal.com
127.0.0.1
www.amazon.com 127.0.0.1
www.amazon.co.uk 127.0.0.1
www.amazon.ca 127.0.0.1
www.amazon.fr 127.0.0.1
www.paypal.com 127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1
www.moneybookers.com 127.0.0.1
www.ebay.com 127.0.0.1 ebay.com
REMOVAL INSTRUCTIONSSee:
[url]http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.js@mm.html[/url]
To remove all the entries that the risk added to the hosts file 1. Navigate to the following location:
* Windows 95/98/Me:
%Windir%
* Windows NT/2000/XP:
%Windir%\System32\drivers\etc
Notes:
* The location of the hosts file may vary and some computers may not have this file. There may also be multiple copies of this file in different locations. If the file is not located in these folders, search your disk drives for the hosts file, and then complete the following steps for each instance found.
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
2. Double-click the hosts file.
3. If necessary, deselect the "Always use this program to open this program" check box.
4. Scroll through the list of programs and double-click Notepad.
5. When the file opens, delete all the entries added by the risk. (See the Technical Details section for a complete list of entries.)
6. Close Notepad and save your changes when prompted.
To delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
5. In the right pane, delete the value:
"WINDOWS SYSTEM" = "servce.exe"
6. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
