virus logo Virus

W32/MyTob.DJ@mm

description-logoAnalysis

This variant of MyTob is smaller in size than the average MyTob variant as it does not drop a file in the root as "hellmsn.exe" or similar. This variant does spread to other systems using SMTP email however.

The virus also has the following characteristics -

  • may connect to the IRC server named "irc.blackcarder.net" and await commands from a malicious user
  • blocks certain AV and security websites by altering the local "HOSTS" file

The virus borrows code from W32/Mydoom - this causes some AV scanners to identify this virus as a variant of the W32/Mydoom family.

Loading at Windows startup
If the threat is run manually, it will copy itself to the local system as C:\WINNT\system32\sky.exe. The virus has a file size of 29,550 bytes. The virus will register itself to load at Windows startup -

HKEY_CURRENT_USER\Software\Microsoft\OLE
"WINDOWS SKY" = sky.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"WINDOWS SKY" = sky.exe

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
"WINDOWS SKY" = sky.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
"WINDOWS SKY" = sky.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WINDOWS SKY" = sky.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"WINDOWS SKY" = sky.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
"WINDOWS SKY" = sky.exe

SMTP mass-mailing routine
The virus has instructions to send a copy of itself to contacts found in files of certain extensions. This virus appears to have borrowed the same harvest and exclusion routines as found in the W32/Mydoom virus family. Email addresses are sampled from files having these extensions -

  • adb
  • asp
  • dbx
  • htm
  • php
  • sht
  • tbb
  • wab

The captured addresses are used as targets for the mailing routine. As with other viruses using this technique, the virus will avoid selecting email addresses containing certain strings, such as these -

  • .edu
  • .gov
  • .mil
  • abuse
  • accoun
  • acketst
  • admin
  • anyone
  • arin.
  • be_loyal:
  • berkeley
  • borlan
  • bsd
  • bugs
  • ca
  • certific
  • contact
  • example
  • fcnz
  • feste
  • fido
  • foo.
  • fsf.
  • gnu
  • gold-certs
  • google
  • gov.
  • help
  • iana
  • ibm.com
  • icrosof
  • icrosoft
  • ietf
  • info
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • listserv
  • math
  • me
  • mit.e
  • mozilla
  • mydomai
  • no
  • nobody
  • nodomai
  • noone
  • not
  • nothing
  • ntivi
  • page
  • panda
  • pgp
  • postmaster
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • ruslis
  • samples
  • secur
  • sendmail
  • service
  • site
  • soft
  • somebody
  • someone
  • sopho
  • spm
  • submit
  • support
  • syma
  • tanford.e
  • the.bat
  • unix
  • unix
  • usenet
  • utgers.ed
  • webmaster
  • www
  • you
  • your

The virus carries hard-coded message bodies and sends email with varying body text. The email attachment may have a .PIF, .EXE or .ZIP file extension.

Backdoor functionality
The virus will create a thread that functions as a backdoor, using a high TCP port such as 10087 or 10153. The virus connects with the IRC server 'spm.slo-partija.info' in order to receive instructions from a malicious user. Instructions include some of the following -

.updat
.raw
.exec
.dl
.rm
.quit
.su
.uptim
.login


HOSTS modification routine
This variant alters the local "HOSTS" file in an effort to block access to Antivirus and security related web addresses. The virus overwrites the "HOSTS" file with misconfigured information so that attempts to reach certain addresses resolve to the IP 127.0.0.1, also known as "localhost". Below is a copy of a modified HOSTS file -

127.0.0.1 www.trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com

recommended-action-logoRecommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR
ID 51204
Released May 09, 2005
Description
Updated		 May 19, 2005
Aliases W32.Mytob.CH@mm [NAV], W32/Mytob-CJ [Sophos], W32/Mytob.ay@MM [McAfee], W32/MyTob.CH-mm, W32/MyTob.DJ!worm, W32/MyTob.DJ-mm, WORM_MYTOB.ER [Trend]
Platform Profile Win32 file format / PE 32 bit