W32/MyTob.DJ@mm
Analysis
This variant of MyTob is smaller in size than the average MyTob variant as it does not drop a file in the root as "hellmsn.exe" or similar. This variant does spread to other systems using SMTP email however.
The virus also has the following characteristics -
- may connect to the IRC server named "irc.blackcarder.net"
and await commands from a
malicious user
- blocks certain AV and security websites by altering the local "HOSTS" file
The virus borrows code from W32/Mydoom - this causes some AV scanners to identify this virus as a variant of the W32/Mydoom family.
Loading at Windows startup
If the threat is run manually, it will copy itself to
the local system as C:\WINNT\system32\sky.exe. The virus
has a file size of 29,550 bytes. The virus will register
itself to load at Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\OLE
"WINDOWS SKY" = sky.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"WINDOWS SKY" = sky.exeHKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
"WINDOWS SKY" = sky.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
"WINDOWS SKY" = sky.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WINDOWS SKY" = sky.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"WINDOWS SKY" = sky.exeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
"WINDOWS SKY" = sky.exe
SMTP mass-mailing routine
The virus has instructions to send a copy of itself
to contacts found in files of certain extensions. This
virus appears to have borrowed the same harvest and
exclusion routines as found in the W32/Mydoom virus
family. Email addresses are sampled from files having
these extensions -
- adb
- asp
- dbx
- htm
- php
- sht
- tbb
- wab
The captured addresses are used as targets for the mailing routine. As with other viruses using this technique, the virus will avoid selecting email addresses containing certain strings, such as these -
- .edu
- .gov
- .mil
- abuse
- accoun
- acketst
- admin
- anyone
- arin.
- be_loyal:
- berkeley
- borlan
- bsd
- bugs
- ca
- certific
- contact
- example
- fcnz
- feste
- fido
- foo.
- fsf.
- gnu
- gold-certs
- gov.
- help
- iana
- ibm.com
- icrosof
- icrosoft
- ietf
- info
- inpris
- isc.o
- isi.e
- kernel
- linux
- listserv
- math
- me
- mit.e
- mozilla
- mydomai
- no
- nobody
- nodomai
- noone
- not
- nothing
- ntivi
- page
- panda
- pgp
- postmaster
- privacy
- rating
- rfc-ed
- ripe.
- ruslis
- samples
- secur
- sendmail
- service
- site
- soft
- somebody
- someone
- sopho
- spm
- submit
- support
- syma
- tanford.e
- the.bat
- unix
- unix
- usenet
- utgers.ed
- webmaster
- www
- you
- your
The virus carries hard-coded message bodies and sends email with varying body text. The email attachment may have a .PIF, .EXE or .ZIP file extension.
Backdoor functionality
The virus will create a thread that functions as a backdoor,
using a high TCP port such as 10087 or 10153. The virus
connects with the IRC server 'spm.slo-partija.info'
in order to receive instructions from a malicious user.
Instructions include some of the following -
.updat
.raw
.exec
.dl
.rm
.quit
.su
.uptim
.login
HOSTS modification routine
This variant alters the local "HOSTS" file
in an effort to block access to Antivirus and security
related web addresses. The virus overwrites the "HOSTS"
file with misconfigured information so that attempts
to reach certain addresses resolve to the IP 127.0.0.1,
also known as "localhost". Below is a copy
of a modified HOSTS file -
127.0.0.1 www.trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
Recommended Action
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option
FortiGate systems:
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |