Upon execution, the worm copies itself into the %System32%
folder as "Lien vd Kelder.exe".
It creates a mutex to prevent multiple instances
of the worm from running.
The worm adds the following keys to the registry
to make sure that it runs every time windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"http://www.lienvandekelder.be"="Lien vd Kelder.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"http://www.lienvandekelder.be"="Lien vd Kelder.exe"
Note: The worm continuously monitors the registry
and recreates these keys if they are no longer present.
This Mytob worm modifies also the following registry
key:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start"="4"
in order to lower security settings on the compromised
system.
Note: This will disable the shared access on Windows
2000 and Windows XP systems.
===================
Process Termination
===================
The worm terminates several programs:
TASKMGR.EXE, CMD.EXE, _AVPM.EXE, _AVPCC.EXE, _AVP32.EXE,
ZONEALARM.EXE,
ZATUTOR.EXE, ZAPSETUP3001.EXE, ZAPRO.EXE, XPF202EN.EXE, WYVERNWORKSFIREWALL.EXE,
WUPDATER.EXE, WSBGATE.EXE, WRCTRL.EXE, WRADMIN.EXE, WNT.EXE, WNAD.EXE, WKUFIND.EXE,
WINTSK32.EXE, WINSTART001.EXE, WINSTART.EXE, WINSSK32.EXE, WINSERVN.EXE, WINPPR32.EXE,
WINNET.EXE, WINMAIN.EXE, WINLOGIN.EXE, WININITX.EXE, WININIT.EXE, WINDOWS.EXE,
WINDOW.EXE, WINACTIVE.EXE, WIN32US.EXE, WIN32.EXE, WIN-BUGSFIX.EXE, WHOSWATCHINGME.EXE,
WFINDV32.EXE, WEBTRAP.EXE, WEBSCANX.EXE, WEBDAV.EXE, W9X.EXE, W32DSM89.EXE,
VSWINPERSE.EXE,
VSWINNTSE.EXE, VSWIN9XE.EXE, VSSTAT.EXE, VSMAIN.EXE, VSISETUP.EXE, VSHWIN32.EXE,
VSECOMR.EXE, VSCHED.EXE, VSCAN40.EXE, VPTRAY.EXE, VPFW30S.EXE, VPC42.EXE, VPC32.EXE,
VNPC3000.EXE, VIRUSMDPERSONALFIREWALL.EXE, VIR-HELP.EXE, VFSETUP.EXE, VETTRAY.EXE,
VET95.EXE, VCSETUP.EXE, VBWINNTW.EXE, VBWIN9X.EXE, VBUST.EXE, VBCONS.EXE, VBCMSERV.EXE,
UPGRAD.EXE, UPDATE.EXE, UPDATE.EXE, UPDAT.EXE, UNDOBOOT.EXE, TVTMD.EXE, TVMD.EXE,
TROJANTRAP3.EXE, TRJSETUP.EXE, TRJSCAN.EXE, TRICKLER.EXE, TRACERT.EXE, TITANIN.EXE,
TGBOB.EXE, TFAK5.EXE, TFAK.EXE, TEEKIDS.EXE, TDS2-NT.EXE, TDS-3.EXE, TCA.EXE,
TC.EXE,
TBSCAN.EXE, TAUMON.EXE, TASKMON.EXE, TASKMO.EXE, TASKMG.EXE, SYSTEM32.EXE,
SYSTEM.EXE,
SYSEDIT.EXE, SYMTRAY.EXE, SYMPROXYSVC.EXE, SWEEP95.EXE, SVSHOST.EXE, SVCHOSTS.EXE,
SVCHOSTC.EXE, SVC.EXE, SUPPORTER5.EXE, SUPFTRL.EXE, STCLOADER.EXE, START.EXE,
ST2.EXE,
SSG_4104.EXE, SSGRATE.EXE, SRNG.EXE, SREXE.EXE, SPYXX.EXE, SPOOLSV32.EXE, SPOOLCV.EXE,
SPOLER.EXE, SPHINX.EXE, SPERM.EXE, SOFI.EXE, SOAP.EXE, SMSS32.EXE, SMS.EXE,
SMC.EXE,
SHOWBEHIND.EXE, SHN.EXE, SH.EXE, SGSSFW32.EXE, SFC.EXE, SETUP_FLOWPROTECTOR_US.EXE,
SETUPVAMEEVAL.EXE, SCANPM.EXE, SCAN95.EXE, SCAN32.EXE, SCAM32.EXE, SC.EXE,
SBSERV.EXE,
SAVENOW.EXE, SAHAGENT.EXE, SAFEWEB.EXE, RUXDLL32.EXE, RUNDLL16.EXE, RUNDLL.EXE,
RUN32DLL.EXE, RTVSCN95.EXE, RTVSCAN.EXE, RSHELL.EXE, RRGUARD.EXE, RESCUE32.EXE,
RESCUE.EXE, REGEDIT.EXE, REGED.EXE, REALMON.EXE, RCSYNC.EXE, RB32.EXE, RAY.EXE,
RAV7WIN.EXE, RAV7.EXE, RAPAPP.EXE, QSERVER.EXE, QCONSOLE.EXE, PURGE.EXE, PSPF.EXE,
PROPORT.EXE, PROGRAMAUDITOR.EXE, PROCEXPLORERV1.0.EXE, PROCESSMONITOR.EXE,
PRMVR.EXE,
PRMT.EXE, PRIZESURFER.EXE, PPVSTOP.EXE, PPTBC.EXE, PPINUPDT.EXE, PORTMONITOR.EXE,
PORTDETECTIVE.EXE, POPSCAN.EXE, POPROXY.EXE, POP3TRAP.EXE, PINGSCAN.EXE, PGMONITR.EXE,
PFWADMIN.EXE, PF2.EXE, PERSWF.EXE, PERSFW.EXE, PDSETUP.EXE, PCSCAN.EXE, PCIP10117_0.EXE,
PCFWALLICON.EXE, PAVW.EXE, PAVSCHED.EXE, PAVCL.EXE, PATCH.EXE, PANIXK.EXE,
PADMIN.EXE,
OUTPOSTPROINSTALL.EXE, OUTPOST.EXE, OUTPOST.EXE, OTFIX.EXE, OSTRONET.EXE, OPTIMIZE.EXE,
ONSRVR.EXE, NWTOOL16.EXE, NWSERVICE.EXE, NWINST4.EXE, NVSVC32.EXE, NVC95.EXE,
NVARCH16.EXE,
NUPGRADE.EXE, NUI.EXE, NTXconfig.EXE, NTVDM.EXE, NTRTSCAN.EXE, NT.EXE, NSUPDATE.EXE,
NSSYS32.EXE, NSCHED32.EXE, NPSSVC.EXE, NPSCHECK.EXE, NPROTECT.EXE, NPF40_TW_98_NT_ME_2K.EXE,
NOTSTART.EXE, NORTON_INTERNET_SECU_3.0_407.EXE, NOD32.EXE, NMAIN.EXE, NISUM.EXE,
NISSERV.EXE,
NETUTILS.EXE, NETSTAT.EXE, NETSCANPRO.EXE, NETMON.EXE, NETINFO.EXE, NETD32.EXE,
NETARMOR.EXE,
NEOMONITOR.EXE, NDD32.EXE, NCINST4.EXE, NC2000.EXE, NAVWNT.EXE, NAVW32.EXE,
NAVNT.EXE,
NAVLU32.EXE, NAVDX.EXE, NAVAPW32.EXE, NAVAPSVC.EXE, NAVAP.NAVAPSVC.EXE, NAV.EXE,
N32SCANW.EXE,
MWATCH.EXE, MU0311AD.EXE, MSVXD.EXE, MSSYS.EXE, MSSMMC32.EXE, MSMGT.EXE, MSLAUGH.EXE,
MSINFO32.EXE, MSIEXEC16.EXE, MSDOS.EXE, MSDM.EXE, MSCMAN.EXE, MSCCN32.EXE,
MSCACHE.EXE,
MSBLAST.EXE, MSBB.EXE, MSAPP.EXE, MRFLUX.EXE, MPFSERVICE.EXE, MPFAGENT.EXE,
MOSTAT.EXE,
MOOLIVE.EXE, MONITOR.EXE, MMOD.EXE, MGUI.EXE, MGHTML.EXE, MGAVRTE.EXE, MGAVRTCL.EXE,
MFWENG3.02D30.EXE, MFW2EN.EXE,MD.EXE, MCVSSHLD.EXE, MCVSRTE.EXE, MCUPDATE.EXE,
MCUPDATE.EXE,
MCTOOL.EXE, MCMNHDLR.EXE, MCAGENT.EXE, MAPISVC32.EXE, LUSPT.EXE, LUINIT.EXE,
LUCOMSERVER.EXE,
LUALL.EXE, LUALL.EXE, LSETUP.EXE, LORDPE.EXE, LOOKOUT.EXE, LOCKDOWN2000.EXE,
LOCALNET.EXE,
LOADER.EXE, LNETINFO.EXE, LDSCAN.EXE, LDPROMENU.EXE, LDPRO.EXE, LAUNCHER.EXE,
KILLPROCESSSETUP161.EXE, KERNEL32.EXE, KERIO-WRP-421-EN-WIN.EXE, KERIO-PF-213-EN-WIN.EXE,
KEENVALUE.EXE, KAZZA.EXE, KAVPF.EXE, KAVPERS40ENG.EXE, JEDI.EXE, JDBGMRG.EXE,
JAMMER.EXE,
ISTSVC.EXE, IOMON98.EXE, INTREN.EXE, INTDEL.EXE, INFWIN.EXE, INFUS.EXE, INETLNFO.EXE,
IFW2000.EXE, IFACE.EXE, IEXPLORER.EXE, IEDLL.EXE, IDLE.EXE, ICSUPPNT.EXE, ICSUPP95.EXE,
ICMON.EXE, ICLOADNT.EXE, IBMASN.EXE, IAMSTATS.EXE, IAMSERV.EXE, IAMAPP.EXE,
HXIUL.EXE,
HXDL.EXE, HWPE.EXE, HTLOG.EXE, HOTPATCH.EXE, HOTACTIO.EXE, HBSRV.EXE, HBINST.EXE,
HACKTRACERSETUP.EXE, GUARD.EXE, GMT.EXE, GENERICS.EXE, GBPOLL.EXE, GBMENU.EXE,
GATOR.EXE,
FSMB32.EXE, FSM32.EXE, FSGK32.EXE, FSAV95.EXE, FSAV530WTBYB.EXE, FSAV530STBYB.EXE,
FSAV32.EXE, FSAA.EXE, FRW.EXE, FPROT.EXE, FP-WIN_TRIAL.EXE, FP-WIN.EXE, FNRB32.EXE,
FINDVIRU.EXE, FIH32.EXE, FCH32.EXE, FAST.EXE, FAMEH32.EXE, F-STOPW.EXE, F-PROT.EXE,
EXPLORE.EXE, EXPERT.EXE, EXE.AVXW.EXE, EXANTIVIRUS-CNET.EXE, EVPN.EXE, ETHEREAL.EXE,
ESPWATCH.EXE, ESCANV95.EXE, ESCANHNT.EXE, ESAFE.EXE, ENT.EXE, EFPEADM.EXE,
ECENGINE.EXE,
DVP95_0.EXE, DVP95.EXE, DSSAGENT.EXE, DRWEBUPW.EXE, DRWATSON.EXE, DPPS2.EXE,
DPFSETUP.EXE,
DPF.EXE, DOORS.EXE, DLLREG.EXE, DLLCACHE.EXE, DEPUTY.EXE, DEFWATCH.EXE, DEFSCANGUI.EXE,
DEFALERT.EXE, DCOMX.EXE, CLAW95CF.EXE, CWNTDWMO.EXE, CWNB181.EXE, CV.EXE, CTRL.EXE,
CPFNT206.EXE, CPD.EXE, CONNECTIONMONITOR.EXE, CMON016.EXE, CMGRDIAN.EXE, CMESYS.EXE,
CMD32.EXE, CLEANPC.EXE, CLEANER3.EXE, CLEANER.EXE, CLEAN.EXE, CFINET32.EXE,
CFINET.EXE,
CFIAUDIT.EXE, CFIADMIN.EXE, CFGWIZ.EXE, CFD.EXE, CDP.EXE, CCPXYSVC.EXE, CCAPP.EXE,
BVT.EXE,
BUNDLE.EXE, BS120.EXE, BRASIL.EXE, BPC.EXE, BORG2.EXE, BOOTCONF.EXE, BLSS.EXE,
BLACKICE.EXE,
BLACKD.EXE, BISP.EXE, BIPCPEVALSETUP.EXE, BIDSERVER.EXE, BIDEF.EXE, BELT.EXE,
BEAGLE.EXE,
BD_PROFESSIONAL.EXE, BARGAINS.EXE, AVXQUAR.EXE, AVXQUAR.EXE, AVXMONITORNT.EXE,
AVXMONITOR9X.EXE, AVWUPSRV.EXE, AVWUPD32.EXE, AVWUPD.EXE, AVWINNT.EXE, AVSYNMGR.EXE,
AVSCHED32.EXE, AVPUPD.EXE, AVPTC32.EXE, AVPM.EXE, AVPDOS32.EXE, AVPCC.EXE,
AVP32.EXE,
AVP.EXE, AVNT.EXE, AVKWCTl9.EXE, AVKSERVICE.EXE, AVKSERV.EXE, AVKPOP.EXE, AVGW.EXE,
AVGUARD.EXE, AVGSERV.EXE, AVGNT.EXE, AVGCTRL.EXE, AVGCC32.EXE, AVE32.EXE, AVCONSOL.EXE,
AUTOUPDATE.EXE, AUTOTRACE.EXE, AUTOTRACE.EXE, AUTODOWN.EXE, AUTODOWN.EXE, AUPDATE.EXE,
AU.EXE, ATWATCH.EXE, ATUPDATER.EXE, ATUPDATER.EXE, ATRO55EN.EXE, ATCON.EXE,
ARR.EXE,
APVXDWIN.EXE, APLICA32.EXE, APIMONITOR.EXE, ANTS.EXE, ANTI-TROJAN.EXE, AMON9X.EXE,
ALOGSERV.EXE, ALEVIR.EXE, ALERTSVC.EXE, AGENTW.EXE, ADVXDWIN.EXE, ADAWARE.EXE,
ACKWIN32.EXE
=================
E-mail harvesting
=================
The worm scans all fixed disks and collects e-mail
addresses from files with one of the following extensions:
*.wab, *.adb, *.tbb, *.dbx, *.asp, *.php, *.sht,
*.htm, *.pl, *.txt, *.xml, *.cgi, *.jsp
This Mytob worm also collects e-mail addresses from
the Windows Address Book and from the following folders:
%Windir%\Temporary Internet Files
%Userprofile%\Local Settings\Temporary Internet Files
=============
DNS Resolving
=============
The worm performs DNS e-mail-exchange-queries to
find an appropriate mail server for each domain it
tries to send itself to.
If this DNS request for the mail server fails, the
worm tries to guess the e-mail server by adding the
domain name in front of the following prefixes:
gate.
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.
=================================
IRC Backdoor Server Functionality
=================================
The worm also provides IRC-Backdoor functionality
with the following functions:
Downloading files
Downloading new worm updates
Executing files
Providing uptime information to the remote controller
Providing information about the worm variant to the remote controller
Notifying IRC Channels/Operator via private message
Restarting the computer
Providing FTP Server Access on the compromised system
Removing components
This Mytob worm tries to connect to the irc server "irc.blackcarder.net" (port
43287 TCP/IP)
It tries to join the channel "#ZWND".
=============
E-mail Sender
=============
The worm generates the sender's e-mail addresses
using the following list of names:
adam, alex, alice, andrew, anna, bill, bob, brenda,
brent, brian, britney, bush, claudia,
dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim,
jimmy, joe,
john, jose, julie, kevin, leo, linda, lolita, madmax, maria, mary, matt, michael,
mike,
peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom
Note: The worm might also use a spoofed email address
collected during E-mail harvesting.
It uses its own SMTP (Simple Mail Transfer Protocol)
engine to mass-mail copies of itself
to other e-mail addresses.
The worm avoids e-mail addresses which contain parts
of the following list:
.gov, .mil, abuse, accoun, acketst, admin, anyone,
arin., avp, be_loyal:, berkeley,
borlan, bsd, bugs, certific, contact, example, fcnz, feste, fido, foo., fsf.,
gnu, gold-certs,
google, gov., help, hotmail, iana, ibm.com, icrosof, icrosoft, ietf, info,
inpris, isc.o,
isi.e, kernel, linux, listserv, math, mit.e, mozilla, msn., mydomai, nobody,
nodomai,
noone, not, nothing, ntivi, page, panda, pgp, postmaster, privacy, rating,
rfc-ed, ripe.,
root, ruslis, samples, secur, sendmail, service, site, soft, somebody, someone,
sopho,
spm, submit, support, syma, tanford.e, the.bat, unix, usenet, utgers.ed, webmaster,
www, you, your, -._!, -._!@
Note: The first missing character will match. For
example, 'Microsoft' as well as 'microsoft' will
match with "icrosoft".
This Mytob sends outgoing attachments with one of
the following file extensions:
bat
cmd
exe
scr
pif
zip
The worm may also attach itself as a ZIP file.
The file inside the ZIP archive may have two extensions,
the first chosen from the following list:
htm
txt
doc
The second extension is chosen from the following
list and is separated from the first extension by
a large number of spaces to hide the executable file
extension:
pif
scr
exe
Example: attachment 'readme.zip' may contain the
file 'readme.txt { spaces } .scr'
=====================
Hostfile Manipulation
=====================
It overwrites the present hosts file with the following
data to avoid accessing these sites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.oxyd.fr
127.0.0.1 oxyd.fr
127.0.0.1 www.t35.com
127.0.0.1 t35.com
127.0.0.1 www.t35.net
127.0.0.1 t35.net
NOD32アンチウイルスは、ウイルス定義ファイルのバージョン1.1120 にて対応しています。
|
