W32/MyTob.JT!worm
Analysis
- Creates a mutex named amgkshsqweasdmnd to make sure that there is only one instance of the worm running.
- Copies itself to the Windows folder as msdefr.exe and nb32ext3.exe.
- Copies itself to the Windows folder as one of the following:
- services.exe
- winlogon.exe
- csrss.exe
- smss.exe
Registry Modification
- Adds the following value:
helloworld = "nb32ext3.exe"
to the following subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- Adds the following value:
RPCserv32g = "undefinedWINDOWSundefined\undefinedFILEundefined"
to the following subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Adds the value:
IEPsdgxc = 1
to the following subkey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer
- Modifies the following value:
Userinit = "undefinedSYSTEMundefined\userinit.exe,undefinedWINDOWSundefined\undefinedFILEundefined" (The default value is "undefinedSYSTEMundefined\userinit.exe")
in the following subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Modifies the value:
Start = 4 (The default value is 3)
in the following subkey:HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
- Modifies the value:
EnableFirewall = 0 (The default value is 1)
in the following subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
- Modifies the value:
DisableRegistryTools = 0 (The default value is 1)
in the following subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
Note: undefinedWINDOWSundefined refers to the Windows folder, undefinedSYSTEMundefined refers to the System folder, and undefinedFILEundefined refers to the filename of the malware.
Email Propagation
- Gathers email addresses from the Microsoft Windows Address Book and from files that contain any of the following extensions:
- .asp
- .cgi
- .dbx
- .dht
- .eml
- .htm
- .html
- .jsp
- .mbx
- .mht
- .msg
- .php
- .sht
- .stm
- .uin
- .wab
- Avoids sending emails to addresses that contain any of the strings in its specified list, which includes the following:
- admin
- icrosoft
- support
- ntivi
- unix
- bsd
- linux
- listserv
- certific
- accoun
- abuse
- upport
- www
- root
- info
- samples
- webmaster
Also avoided are email addresses having certain strings in their domain names, such as:
- avp
- syma
- icrosof
- panda
- sopho
- borlan
- inpris
- example
- mydomai
- icrosoft
- ruslis
- kasp
- gov.
- .mil
- Searches for SMTP servers by prepending the following strings to domain names that it finds:
- mx.
- mail.
- smtp.
- mx1.
- mxs.
- mail1.
- relay.
- ns.
- gate.
- Uses its own SMTP engine to send itself to email addresses that it finds.
- The email has the following format:
From: can be any of various strings, such as:
- john
- alex
- michael
- james
- mike
- kevin
- david
- george
- sam
- andrew
- jose
- leo
- maria
- jim
Subject: one of the following:
- *DETECTED* Online User Violation
- *WARNING* Your Email Account Will Be Closed
- Account Alert
- Important Notification
- Notice of account limitation
- NOTICE: **LAST WARNING**
- Security measures
- Your Email Account is Suspended For Security Reasons
- Email Account Suspension
- Accounts department
- Ahtung!
- Camila
- Daily activity report
- Ello!
- Flayers among us
- Freedom for everyone
- From Hair-cutter
- From me
- Greet the day
Message Body: one of the following:
- The original message has been included as an attachment.
- We attached some important information regarding your account.
- Please read the attached document and follow it's instructions.
- Attached some pics that i found.
- Everything inside the attach.
- Once you have completed the form in the attached file your account records will not be interrupted and will continue as normal.
- We have suspended some of your email services, to resolve the problem you should read the attached document.
- We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
Attachment: [Filename].[Extension][Filename] can be any of the following:
- email-info
- email-doc
- account-report
- account-info
- email-details
- account-details
- important-details
- accepted-password
- account-password
- approved-password
- password
- new-password
- email-password
- updated-password
- attachment
- document
- message
[Extension] can be any of the following:
- .bat
- .cmd
- .exe
- .pif
- .scr
- .zip
Vulnerability Exploit
- Propagates across networks by exploiting the Microsoft Windows Plug and Play Vulnerability.
Backdoor/Trojan Behavior
- Prevents the infected system from connecting to update servers and various other security related web pages by modifying the local HOSTS file.
- Attempts to terminate certain processes, some of which may be security related, such as:
- Lien Van de Kelderrr.exe
- winshost.exe
- msnmsgr.exe
- wfdmgr.exe
- OUTPOST.exe
- IAOIN.exe
- RB.exe
- backdoor.rbot.gen.exe
- msssss.exe
- rasmngr.exe
- dailin.exe
- wowpos32.exe
- wuamgrd.exe
- taskmanagr.exe
- wuamga.exe
- _AVP32.exe
- _AVPCC.exe
- _AVPM.exe
- Opens a backdoor on a random TCP port. The remote intruder can gain access and control over the computer.
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Patch
- Download and install the patch for the Microsoft Windows Plug and Play Vulnerability at http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |