Casey
01-18-2006, 12:48 AM
I never get these things but have received 20 of them in the past 24 hours.
WORM_MYTOB.DO
Overview Solution Technical Details Statistics
File type: PE
Memory resident: Yes
Size of malware: 67,584 Bytes
Ports used: Random TCP
Initial samples received on: May 4, 2005
Related to: WORM_MYTOB.J
--------------------------------------------------------------------------------
Details:
Installation and Autostart Technique
This worm drops a copy of itself in the Windows system folder as TASKGMR32.EXE and WINNET32.EXE. It also drops the file XMSNN.EXE in the root folder. Trend Micro detects this file as WORM_MYTOB.J.
It creates the following registry entries to ensure its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\
CurrentVersion\Run
WINTASK32 = "taskgmr32.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\
CurrentVersion\RunServices
WINTASK32 = "taskgmr32.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
WINTASK32 = "taskgmr32.exe"
It also creates the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\OLE
WINTASK32 = "taskgmr32.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
WINTASK32 = "taskgmr32.exe"
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Control\Lsa
WINTASK32 = "taskgmr32.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
WINTASK32 = "taskgmr32.exe"
Propagation via Email
This worm propagates by sending a copy of itself as an attachment to email messages, which it sends to target email addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.
The email that it sends out has the following details:
Subject: (any of the following)
• Error
• Good day
• hello
• Mail Delivery System
• Mail Transaction Failed
• Server Report
• Status
• {random characters}
Message body: (any of the following)
• Here are your banks documents.
• Mail transaction failed. Partial message is available.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• The original message was included as an attachment.
Attachment: (any of the following file names)
• body
• data
• doc
• document
• file
• message
• {random file name}
• readme
• test
• text
with any of the following extensions:
• BAT
• CMD
• EXE
• PIF
• SCR
• ZIP
It gathers email addresses from the Temporary Internet Files folder, as well as from the Windows address book (WAB). It also collects email addresses from files with the following extension names:
ADB
ASP
DBX
HTM
PHP
SHT
TBB
WAB
It avoids sending email messages to addresses that contain any of the following:
accoun
admin
anyone
bugs
certific
contact
feste
gold-certs
help
icrosoft
info
listserv
nobody
noone
not
nothing
ntivi
page
postmaster
privacy
rating
root
samples
service
site
soft
somebody
someone
submit
support
the.bat
webmaster
you
Your
It avoids email addresses with domain names containing the following:
.edu
.gov
.mil
acketst
arin.
avp
be_loyal:
berkeley
borlan
bsd
example
fido
foo.
fsf.
gnu
google
gov.
iana
ibm.com
icrosof
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
mydomai
nodomai
panda
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
sopho
syma
tanford.e
unix
usenet
utgers.ed
Network Propagation
This worm also propagates through network shares. It searches for available network shares and drops a copy of itself on these shares. It uses the following user names and passwords on shares with restricted access:
00000
000000
00000000
0wn3d
0wned
111111
11111111
121212
123123
123321
12345
123456
1234567
12345678
123456789
12346
123467
1234678
12346789
123467890
1234qwer
123abc
123asd
123qwe
54321
654321
abc123
access
ACCESS
account
accounting
accounts
Admin
ADMIN
admin123
Administrador
Administrateur
Administrator
ADMINISTRATOR
administrator
backup
barbara
blank
bruce
capitol
changeme
Cisco
CISCO
cisco
compaq
control
database
databasepass
databasepassword
db1234
dbpass
dbpassword
default
domain
domainpass
domainpassword
exchange
exchnge
frank
freddy
Guest
GUEST
guest
headoffice
heaven
homeuser
internet
intranet
katie
login
loginpass
nokia
oeminstall
oemuser
office
orange
outlook
pass123
pass1234
passphra
passwd
Password
PASSWORD
password
password1
password123
qwerty
server
siemens
spencer
sqlpass
staff
student
student1
susan
system
teacher
technical
turnip
Unknown
unknown
user1
usermane
username
userpassword
win2000
win2k
win98
windose
windows
windows2k
windows95
windows98
windowsME
WindowsXP
windowz
windoze
windoze2k
windoze95
windoze98
windozeME
windozexp
winnt
winpass
winston
winxp
wired
xxxxx
xxxxxx
xxxxxxx
xxxxxxxx
xxxxxxxxx
yellow
Backdoor Capabilities
This worm has backdoor capabilities. It connects to the Internet Relay Chat (IRC) server av4.sytes.net. Once connected, it joins a specific channel, where it listens for commands coming from a remote malicious user. It executes the following commands on the infected machine:
Download files
Execute files
Obtain its version
Remove itself
Terminate itself
Update itself
It also sets up a File Transfer Protocol (FTP) server by opening a random port.
HOSTS File Modification
This worm adds the following antivirus-related Web sites to the HOSTS file in an attempt to redirect theconnection to the local machine:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
Other Details
This worm is compiled in Microsoft Visual C++, a high-level programming language. It arrives compressed using various compression utilities.
Analysis By: Roy Dexter Dollentas Jimenez
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYTOB.DO&VSect=T#password
WORM_MYTOB.DO
Overview Solution Technical Details Statistics
File type: PE
Memory resident: Yes
Size of malware: 67,584 Bytes
Ports used: Random TCP
Initial samples received on: May 4, 2005
Related to: WORM_MYTOB.J
--------------------------------------------------------------------------------
Details:
Installation and Autostart Technique
This worm drops a copy of itself in the Windows system folder as TASKGMR32.EXE and WINNET32.EXE. It also drops the file XMSNN.EXE in the root folder. Trend Micro detects this file as WORM_MYTOB.J.
It creates the following registry entries to ensure its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\
CurrentVersion\Run
WINTASK32 = "taskgmr32.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\
CurrentVersion\RunServices
WINTASK32 = "taskgmr32.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
WINTASK32 = "taskgmr32.exe"
It also creates the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\OLE
WINTASK32 = "taskgmr32.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
WINTASK32 = "taskgmr32.exe"
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Control\Lsa
WINTASK32 = "taskgmr32.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
WINTASK32 = "taskgmr32.exe"
Propagation via Email
This worm propagates by sending a copy of itself as an attachment to email messages, which it sends to target email addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.
The email that it sends out has the following details:
Subject: (any of the following)
• Error
• Good day
• hello
• Mail Delivery System
• Mail Transaction Failed
• Server Report
• Status
• {random characters}
Message body: (any of the following)
• Here are your banks documents.
• Mail transaction failed. Partial message is available.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• The original message was included as an attachment.
Attachment: (any of the following file names)
• body
• data
• doc
• document
• file
• message
• {random file name}
• readme
• test
• text
with any of the following extensions:
• BAT
• CMD
• EXE
• PIF
• SCR
• ZIP
It gathers email addresses from the Temporary Internet Files folder, as well as from the Windows address book (WAB). It also collects email addresses from files with the following extension names:
ADB
ASP
DBX
HTM
PHP
SHT
TBB
WAB
It avoids sending email messages to addresses that contain any of the following:
accoun
admin
anyone
bugs
certific
contact
feste
gold-certs
help
icrosoft
info
listserv
nobody
noone
not
nothing
ntivi
page
postmaster
privacy
rating
root
samples
service
site
soft
somebody
someone
submit
support
the.bat
webmaster
you
Your
It avoids email addresses with domain names containing the following:
.edu
.gov
.mil
acketst
arin.
avp
be_loyal:
berkeley
borlan
bsd
example
fido
foo.
fsf.
gnu
gov.
iana
ibm.com
icrosof
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
mydomai
nodomai
panda
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
sopho
syma
tanford.e
unix
usenet
utgers.ed
Network Propagation
This worm also propagates through network shares. It searches for available network shares and drops a copy of itself on these shares. It uses the following user names and passwords on shares with restricted access:
00000
000000
00000000
0wn3d
0wned
111111
11111111
121212
123123
123321
12345
123456
1234567
12345678
123456789
12346
123467
1234678
12346789
123467890
1234qwer
123abc
123asd
123qwe
54321
654321
abc123
access
ACCESS
account
accounting
accounts
Admin
ADMIN
admin123
Administrador
Administrateur
Administrator
ADMINISTRATOR
administrator
backup
barbara
blank
bruce
capitol
changeme
Cisco
CISCO
cisco
compaq
control
database
databasepass
databasepassword
db1234
dbpass
dbpassword
default
domain
domainpass
domainpassword
exchange
exchnge
frank
freddy
Guest
GUEST
guest
headoffice
heaven
homeuser
internet
intranet
katie
login
loginpass
nokia
oeminstall
oemuser
office
orange
outlook
pass123
pass1234
passphra
passwd
Password
PASSWORD
password
password1
password123
qwerty
server
siemens
spencer
sqlpass
staff
student
student1
susan
system
teacher
technical
turnip
Unknown
unknown
user1
usermane
username
userpassword
win2000
win2k
win98
windose
windows
windows2k
windows95
windows98
windowsME
WindowsXP
windowz
windoze
windoze2k
windoze95
windoze98
windozeME
windozexp
winnt
winpass
winston
winxp
wired
xxxxx
xxxxxx
xxxxxxx
xxxxxxxx
xxxxxxxxx
yellow
Backdoor Capabilities
This worm has backdoor capabilities. It connects to the Internet Relay Chat (IRC) server av4.sytes.net. Once connected, it joins a specific channel, where it listens for commands coming from a remote malicious user. It executes the following commands on the infected machine:
Download files
Execute files
Obtain its version
Remove itself
Terminate itself
Update itself
It also sets up a File Transfer Protocol (FTP) server by opening a random port.
HOSTS File Modification
This worm adds the following antivirus-related Web sites to the HOSTS file in an attempt to redirect theconnection to the local machine:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
Other Details
This worm is compiled in Microsoft Visual C++, a high-level programming language. It arrives compressed using various compression utilities.
Analysis By: Roy Dexter Dollentas Jimenez
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYTOB.DO&VSect=T#password