W32/MyTob.I@mm
Analysis
This variant of MyTob is FSG packed. This threat was
coded using Visual Basic 5, and contains instructions
to spread to other systems using these methods -
- SMTP email
- networked systems
- RPC exploit [MS04-011]
The virus also has the following characteristics -
- has a remote access backdoor component that connects
with an IRC server
- blocks certain AV and security websites by altering the local "HOSTS" file
The virus borrows code from W32/Mydoom - this causes some AV scanners to identify this virus as a variant of the W32/Mydoom family.
Loading at Windows startup
If the threat is run manually, it will copy itself to
the local system in several places -
C:\funny_pic.scr - copy of virus
C:\hellmsn.exe [6,050 bytes] - IRC Bot component
C:\my_photo2005.scr - copy of virus
C:\see_this!!.scr - copy of virus
C:\WINNT\system32\2pac.txt [79 bytes] - FTP script
C:\WINNT\system32\bingoo.exe [59,392 bytes] - copy of virus
C:\WINNT\system32\sys32.exe - copy of virus
The virus has a file size of 58,880 bytes. The file "bingoo.exe" has extra random data beyond hex offset 0xe5ff. This is probably an attempt to introduce "polymorphism" to prevent full body CRC32 or MD5 detection of the file.
The virus will register itself to load at Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\OLE
"WINTASK" = sys32.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"WINTASK" = sys32.exeHKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
"WINTASK" = sys32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
"WINTASK" = sys32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WINTASK" = sys32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"WINTASK" = sys32.exeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
"WINTASK" = sys32.exe
SMTP mass-mailing routine
The virus has instructions to send a copy of itself
to contacts found in files of certain extensions. This
virus appears to have borrowed the same harvest and
exclusion routines as found in the W32/Mydoom virus
family. Email addresses are sampled from files having
these extensions -
- .adb
- .asp
- .dbx
- .htm
- .php
- .pl
- .sht
- .tbb
- .wab
The captured addresses are used as targets for the mailing routine. As with other viruses using this technique, the virus will avoid selecting email addresses containing certain strings, such as these -
- accoun
- certific
- listserv
- ntivi
- support
- icrosoft
- admin
- page
- the.bat
- gold-certs
- ca
- feste
- submit
- not
- help
- service
- privacy
- somebody
- no
- soft
- contact
- site
- rating
- bugs
- me
- you
- your
- someone
- anyone
- nothing
- nobody
- noone
- webmaster
- postmaster
- samples
- info
- root
- be_loyal
- mozilla
- utgers.ed
- tanford.e
- pgp
- acketst
- secur
- isc.o
- isi.e
- ripe.
- arin.
- sendmail
- rfc-ed
- ietf
- iana
- usenet
- fido
- linux
- kernel
- ibm.com
- fsf.
- gnu
- mit.e
- bsd
- math
- unix
- berkeley
- foo.
- .mil
- gov.
- .gov
- ruslis
- nodomai
- mydomai
- example
- inpris
- borlan
- sopho
- panda
- icrosof
- syma
- avp
- .edu
- -._!
- -._!@
- abuse
- www
- fcnz
- spm
The virus carries hard-coded message bodies and sends email with varying body text. The possible body text are selected from these choices -
- Mail transaction
failed. Partial message is available.
- The message
contains Unicode characters and has been sent as a
binary attachment.
- The message
cannot be represented in 7-bit ASCII encoding and
has been sent as a binary attachment.
- The original
message was included as an attachment.
- Here are your banks documents.
The email attachment may be one of these -
- funny_pic.scr
- my_photo2005.scr
- see_this!!.scr
Network spreading routine
The virus will first bind with a high TCP port such
as 10087 and 10153. The virus will spawn a thread that
functions on this TCP port as an FTP server.
Next, the virus will attempt to connect with systems
on the same subnet as the infected system. For example,
the virus generates random IP addresses based on the
infected system IP address using the basis A.B.undefined.undefined.
For example, if the infected system has an IP address
of 192.168.29.56 [using network address translation,
or NAT], the virus may try to connect with random addresses
such as these -
- 192.168.1.71
- 192.168.113.2
- 192.168.44.50 and so on
The virus attempts to connect with the random system using TCP port 445. If a connection can be made, the virus uses an RPC exploit to gain access to the system. Once access is obtained, the virus generates an FTP script and writes it to the system with these instructions:
open undefinedIPundefined undefinedTCP portundefined
user hell rulez
binary
get bingoo.exe
quit
The virus then initiates FTP.EXE locally on the compromised system to retrieve a copy of the virus as "bingoo.exe" from the connecting system, and execute it.
Backdoor functionality
The virus will create a thread that functions as a backdoor,
using a high TCP port such as 10087 or 10153. The virus
connects with the IRC server 'metalhead2005.info' in
order to receive instructions from a malicious user.
Instructions include some of the following -
.update
.raw
.exec
.dl
.rm
.quit
.su
.uptime
.login
HOSTS modification routine
This variant alters the local "HOSTS" file
in an effort to block access to Antivirus and security
related web addresses. The virus overwrites the "HOSTS"
file with misconfigured information so that attempts
to reach certain addresses resolve to the IP 127.0.0.1,
also known as "localhost". Below is a copy
of a modified HOSTS file -
127.0.0.1 www.trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
Recommended Action
- check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
FortiGate systems:
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |