Virus Characteristics
-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.
-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit
, contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.
-- Update March 2
4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not
be identified by file hash or size as the virus appends garbage to the end of the executable.
- 55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d)
- 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249)
- 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40)
These new variants create a file named hellmsn.exe
on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--
This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:
The virus arrives in an email message as follows:
From:
(Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected.
Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.
Subject:
(Varies, such as)
- Error
- Status
- Server Report
- Mail Transaction Failed
- Mail Delivery System
- hello
- hi
Body:
(Varies, such as)
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- The message contains Unicode characters and has been sent as a binary attachment.
- Mail transaction failed. Partial message is available.
Attachment:
(varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)
- examples (common names, but can be random)
- doc.bat
- document.zip
- message.zip
- readme.zip
- text.pif
- hello.cmd
- body.scr
- test.htm.pif
- data.txt.exe
- file.scr
In the case of two file extensions, multiple spaces may be inserted as well, for example:
- document.htm (many spaces) .pif
When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe
. Registry keys are created to load this file at startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "LSA" = wfdmgr.exe
Additional keys/values are created, which are typically associated with W32/Sdbot.worm:
- HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe
- HKEY_CURRENT_USER\Software\Microsoft\OLE
"LSA" = wfdmgr.exe