W32/Mytob.gen@MMType Virus

W32/Mytob.gen@MMType Virus

W32/Mytob.gen@MM

Type

Virus

SubType

Email Generic

Discovery Date

03/02/2005

Length

Varies

Minimum DAT

4438 (03/02/2005)

Updated DAT

5249 (03/11/2008)

Minimum Engine

5.1.00

Description Added

03/02/2005

Description Modified

05/18/2005 12:08 PM (PT)

Type

Type of threat.

SubType

Additional type information.

Discovery Date

Date that AVERT discovered this threat.

Length

File size, in bytes, of the threat.

Minimum DAT

McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.

Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.

For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.

Updated DAT

McAfee DAT files are constantly being updated to enhance detection capabilities. The Updated DAT field specifies the released DAT version that contains the most up to date detection.

Minimum Engine

The scan engine uses the DAT files to detect threats. The Minimum Engine field specifies the lowest/oldest engine version that is capable of detecting this threat. The highest/newest engine version should always be used for the most complete protection and are available on the Anti-Virus Updates page.

Description Added

Date/time this description was published using Pacific Time.

Description Modified

Date/time this description was last modified using Pacific Time.

Risk Assessment

Corporate User

Low

Home User

Low

Tab Navigation

• Overview
• Characteristics
• Symptoms
• Method of Infection
• Removal
• Variants
• All Information

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Net-Worm.Win32.Mytob (AVP)
  

• W32.Mytob
  

• W32/Mytob
  

Characteristics

-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.

-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit , contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.

-- Update March 2 4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not be identified by file hash or size as the virus appends garbage to the end of the executable.

• 55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d)
• 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249)
• 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40)

These new variants create a file named hellmsn.exe on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--

This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

• Error
• Status
• Server Report
• Mail Transaction Failed
• Mail Delivery System
• hello
• hi

Body: (Varies, such as)

• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

• examples (common names, but can be random)
• doc.bat
• document.zip
• message.zip
• readme.zip
• text.pif
• hello.cmd
• body.scr
• test.htm.pif
• data.txt.exe
• file.scr

In the case of two file extensions, multiple spaces may be inserted as well, for example:

• document.htm (many spaces) .pif

When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe . Registry keys are created to load this file at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "LSA" = wfdmgr.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "LSA" = wfdmgr.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "LSA" = wfdmgr.exe

Additional keys/values are created, which are typically associated with W32/Sdbot.worm:

• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe
• HKEY_CURRENT_USER\Software\Microsoft\OLE
  "LSA" = wfdmgr.exe

Symptoms

The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit [ http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ]

Method of Infection

The mailing component harvests address from the local system. Files with the following extensions are targeted:

• wab
• adb
• tbb
• dbx
• asp
• php
• sht
• htm
• txt
• pl

The worm avoids certain address, those using the following strings:

• .gov
• .mil
• abuse
• acketst
• arin.
• avp
• berkeley
• borlan
• bsd
• example
• fido
• foo.
• fsf.
• gnu
• google
• gov.
• hotmail
• iana
• ibm.com
• icrosof
• ietf
• inpris
• isc.o
• isi.e
• kernel
• linux
• math
• mit.e
• mozilla
• msn.
• mydomai
• nodomai
• panda
• pgp
• rfc-ed
• ripe.
• ruslis
• secur
• sendmail
• sopho
• syma
• tanford.e
• unix
• usenet
• utgers.ed

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• sandra
• linda
• julie
• jimmy
• jerry
• helen
• debby
• claudia
• brenda
• anna
• alice
• brent
• adam
• ted
• fred
• jack
• bill
• stan
• smith
• steve
• matt
• dave
• dan
• joe
• jane
• bob
• robert
• peter
• tom
• ray
• mary
• serg
• brian
• jim
• maria
• leo
• jose
• andrew
• sam
• george
• david
• kevin
• mike
• james
• michael
• john
• alex

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

• mx.
• mail.
• smtp.
• mx1.
• mxs.
• mail1.
• relay.
• ns.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Net-Worm.Win32.Mytob (AVP)

• W32.Mytob

• W32/Mytob

Characteristics

Characteristics -

-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.

-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit , contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.

-- Update March 2 4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not be identified by file hash or size as the virus appends garbage to the end of the executable.

• 55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d)
• 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249)
• 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40)

These new variants create a file named hellmsn.exe on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--

This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

• Error
• Status
• Server Report
• Mail Transaction Failed
• Mail Delivery System
• hello
• hi

Body: (Varies, such as)

• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

• examples (common names, but can be random)
• doc.bat
• document.zip
• message.zip
• readme.zip
• text.pif
• hello.cmd
• body.scr
• test.htm.pif
• data.txt.exe
• file.scr

In the case of two file extensions, multiple spaces may be inserted as well, for example:

• document.htm (many spaces) .pif

When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe . Registry keys are created to load this file at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "LSA" = wfdmgr.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "LSA" = wfdmgr.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "LSA" = wfdmgr.exe

Additional keys/values are created, which are typically associated with W32/Sdbot.worm:

• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe
• HKEY_CURRENT_USER\Software\Microsoft\OLE
  "LSA" = wfdmgr.exe

Symptoms

Symptoms -

The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit [ http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ]

Method of Infection

Method of Infection -

The mailing component harvests address from the local system. Files with the following extensions are targeted:

• wab
• adb
• tbb
• dbx
• asp
• php
• sht
• htm
• txt
• pl

The worm avoids certain address, those using the following strings:

• .gov
• .mil
• abuse
• acketst
• arin.
• avp
• berkeley
• borlan
• bsd
• example
• fido
• foo.
• fsf.
• gnu
• google
• gov.
• hotmail
• iana
• ibm.com
• icrosof
• ietf
• inpris
• isc.o
• isi.e
• kernel
• linux
• math
• mit.e
• mozilla
• msn.
• mydomai
• nodomai
• panda
• pgp
• rfc-ed
• ripe.
• ruslis
• secur
• sendmail
• sopho
• syma
• tanford.e
• unix
• usenet
• utgers.ed

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• sandra
• linda
• julie
• jimmy
• jerry
• helen
• debby
• claudia
• brenda
• anna
• alice
• brent
• adam
• ted
• fred
• jack
• bill
• stan
• smith
• steve
• matt
• dave
• dan
• joe
• jane
• bob
• robert
• peter
• tom
• ray
• mary
• serg
• brian
• jim
• maria
• leo
• jose
• andrew
• sam
• george
• david
• kevin
• mike
• james
• michael
• john
• alex

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

• mx.
• mail.
• smtp.
• mx1.
• mxs.
• mail1.
• relay.
• ns.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).