VirusW32/MyTob.PN@mm
Analysis
All MyTob viruses have these characteristics:
- copy itself to the local system
- search for email addresses in files
- send itself by SMTP [self contained engine]
Some variants have these additional characteristics:
- connect with an IRC server to receive instructions
or await commands from a malicious user
- prevent the infected system from connecting to update
servers and various other security related web pages
- this is done by hacking the local "hosts"
file and adding entries redirecting the call to specific
web sites by domain name to the local host
- try to connect with random IP addresses to infect systems using an RPC DCOM / LSASS exploit combo
The variants will differ slightly with regard to packed file size and actual file names created on the host however the functionality of the viruses remain the same.
Specific Properties
- writes the file "msconfgh.exe" to the
System32 folder, with the following autostart registry
entry
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
"Win32 Cnfg32" = msconfgh.exeHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Runonce
"Win32 Cnfg32" = msconfgh.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Run
"Win32 Cnfg32" = msconfgh.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
"Win32 Cnfg32" = msconfgh.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Win32 Cnfg32" = msconfgh.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
"Win32 Cnfg32" = msconfgh.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"Win32 Cnfg32" = msconfgh.exeHKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32_CNFG32
"NextInstance" = 01, 00, 00, 00HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32_CNFG32\0000
"Class" = LegacyDriver
"ClassGUID" = {8ECC055D-047F-11D1-A537-0000F8753ED1}
"ConfigFlags" = 00, 00, 00, 00
"DeviceDesc" = Win32 Cnfg32
"Legacy" = 01, 00, 00, 00
"Service" = Win32 Cnfg32HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32_CNFG32\0000\Control
"*NewlyCreated*" = 00, 00, 00, 00
"ActiveService" = Win32 Cnfg32
- sends emails with one of these subject lines -
Notice of account limitation
Email Account Suspension
Security measures
You are banned!!!
We have suspended your account
Members Support
Important Notification
Warning Message: Your services near to be closed.
Your Account is Suspended For Security Reasons
*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Your Account is Suspended
- sends emails with one of four HTML format body texts
where undefineds is a portion of the recipient's email address;
in the first instance, it is the prefix and in the
remaining occurrences, it is the domain -
Dear user undefineds,
You have successfully updated the password of your undefineds account.
If you did not authorize this change or if you need assistance with your account, please contact undefineds customer service at: undefineds
Thank you for using undefineds!
The undefineds Support Team
+++ Attachment: No Virus (Clean)
+++ undefineds Antivirus - www.undefineds
Dear user undefineds,
It has come to our attention that your undefineds User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using undefineds!
The undefineds Support Team
+++ Attachment: No Virus (Clean)
+++ undefineds Antivirus - www.undefineds
Dear undefineds Member,
We have temporarily suspended your email account undefineds.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your undefineds account.
Sincerely,The undefineds Support Team
+++ Attachment: No Virus (Clean)
+++ undefineds Antivirus - www.undefineds
Dear undefineds Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The undefineds Support Team
+++ Attachment: No Virus found
+++ undefineds Antivirus - www.undefineds
- spoofs the sender email address to match one of
these names as a prefix to the from email address
-
register
mail
accounts
administrator
- the attached file is a .ZIP archive with one of
these names -
account-report
readme
document
account-info
email-details
account-details
information
important-details
- connects to an IRC server named 'f00r.dynu.com'
and connects to the channel "toby" to await
instructions and commands from a malicious user
- functions as an LSASS/RPC exploit locator (scanner)
if the appropriate instruction is sent to the virus
via the IRC server backdoor
- deletes existing shares on the infected system -
ipc$
admin$
c$
d$
- terminates processes matching a built-in list of
file names
- opens a command shell on vulnerable systems and
executes script instructions to FTP a copy of the
virus from the infected system to the exploited system
using the logon id "a" and same password
- infects systems on the same network in the IPC$
share
- functions as a SOCKS4/SOCKS5 proxy
Recommended Action
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option
FortiGate systems:
