W32/MyTob.K@mm
Analysis
- C:\funny_pic.scr
- C:\see_this!!.scr
- C:\my_photo2005.scr
- undefinedSYSTEMundefined\msgmr.exe
- key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- value: Win TaskLoader
- data: msgmr.exe
- key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- value: Win TaskLoader
- data: msgmr.exe
- key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- value: Win TaskLoader
- data: msgmr.exe
- key: HKCUSoftware\Microsoft\OLE
- value: Win TaskLoader
- data: msgmr.exe
- key: HKCU\SYSTEM\CurrentControlSet\Control\Lsa
- value: Win TaskLoader
- data: msgmr.exe
- adb
- wab
- tbb
- dbx
- htm
- html
- sht
- php
- asp
- aspx
- .gov
- .mil
- borlan
- example
- inpris
- microsof
- sopho
Subject: one of the following:
- [No Subject]
- [random letters]
- Error
- Good day
- hello
- Mail Delivery System
- Mail Transaction Failed
- Server Report
- Status
- [Random data]
- Here are your banks documents.
- Mail transaction failed. Partial message is available.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- The message contains Unicode characters and has been sent as a binary attachment.
- The original message was included as an attachments.
- [random letters]
- body
- data
- doc
- document
- file
- message
- readme
- test
- text
Network Propagation
Backdoor and/or Trojan Behavior
- Execute files
- Download files
- Restart system
- Perform various other IRC commands
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Patch
- Download and install the following patch:Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |