|
Home > Virus > Worms > I-Worm.Mytob.C@mm
Virus Name: I-Worm.Mytob.C@mmAliases: Net-Worm.Win32.Mytob.c, I-Worm/Mydoom, WORM_MYDOOM.GEN, Worm/Zusha.A, Worm.Mytob.A, Win32.Worm.Mytob.C, W32/Mytob.C.worm, W32/Mydoom.gen@MM, Win32.HLLM.MyDoom.20, W32/Mytob-C, Win32/Mytob.D, W32/Mytob.D@mm, W32.Mytob.C@mm
The Mytob mass-mailing Internet worm currently accounts for approximately one-third of all e-mail traffic. Modifying the Mydoom source code to allow it to function as a network worm created Mytob. It spreads as a standard mass-mailing e-mail worm with attachments as well as via the Microsoft LSASS Local Security Authority Subsystem Service Remote Buffer Overflow vulnerability. In addition, it turns the infected computer into a zombie bot controllable via IRC to potentially cause even more damage later by opening up TCP port number 6667. On launch, Mytob copies itself to the Windows System folder as wfdmgr.exe and creates five registry keys to auto launch itself on start-up. It then selects random I.P. addresses, sends a request to TCP port number 445, and if the computer responds, exploits the LSASS vulnerability to infect a new victim. Mytob also grabs e-mail addresses from the address book and files with the following extensions: adb, asp, dbx, htm, php, pl, sht, tbb, and wab. Mytob will not send itself to government, security, or anti-virus type addresses, and establishes a direct connection to SMTP servers in an attempt to send out infected messages. The sender is one of several pre-selected first names, the subject is one of: Error, hello, hi, Mail Delivery system, Mail Transaction Failed, Server Report, Status, or test. The body contains one of: Mail transaction failed. Partial message is available., The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment., The message contains unicode characters and has been sent as a binary attachment., or test. The attachment name equals: body, data, doc, document, file, message, readme, test, or text. And the attachment extension is one of: bat, cmd, doc, exe, htm, pif, scr, tmp, txt, or zip.
Copyright (c) 2005, 2008 A. Ryan Robbins. All Rights Reserved.
|
|
|