Worm:Win32/Mytob.KV@mm is a worm that spreads via e-mail. It also contains backdoor functionality that allows unauthorized access to an affected machine.
Installation
When executed, Worm:Win32/Mytob.KV@mm drops a copy of itself to the following location:
<system folder>\windbg32.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then modifies the registry to ensure that this copy is executed at each Windows start:
Adds value: WINDOWS Debugger
With data: "windbg32.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: WINDOWS Debugger
With data: "windbg32.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
The worm also creates the mutex 'iPod' to ensure that multiple instances of itself do not run simultaneously.
Spreads Via…
Email
Worm:Win32/Mytob.KV@mm spreads by sending a copy of itself attached to an e-mail to addresses found on the infected computer. The worm gathers e-mail addresses from the Windows Address Book (WAB). It may also generate e-mail addresses to send itself to by combining any of the following common names with e-mail address domain names harvested from the infected machine:
adam
alex
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
frank
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
josh
julie
kevin
leo
linda
maria
mary
matt
michael
mike
paul
peter
ray
robert
sales
sam
sandra
serg
smith
stan
steve
ted
tom
The worm avoids sending itself to addresses that contain the following strings:
abuse
accoun
acketst
admin
administrator
anyone
arin.
be_loyal:
berkeley
borlan
certific
contact
example
feste
gold-certs
google
hotmail
ibm.com
icrosof
icrosoft
inpris
isc.o
isi.e
kernel
linux
listserv
mit.e
mozilla
mydomai
nobody
nodomai
noone
nothing
ntivi
panda
postmaster
privacy
rating
register
rfc-ed
ripe.
ruslis
samples
secur
sendmail
service
somebody
someone
sopho
STRONG
submit
support
tanford.e
the.bat
usenet
utgers.ed
webmaster
This worm uses its own SMTP engine in order to spread via e-mail. The worm tries to construct the SMTP servers to be used by appending the harvested e-mail address domain names to the following strings:
gate.
mail.
mail1.
mx.
mx1.
mxs.
ns.
relay.
smtp.
The From field is spoofed, using e-mail addresses gathered from the affected machine.
The worm sends e-mail with variable characteristics.
It may use any of the following subject lines:
Claim Your Free 4GB iPod nano!
Retrive You Free iPod Nano!
IMPORTANT
Winnings notification
Shipping Address Request (YourFreeiPod.com)
It may any of the following templates as a message body:
Dear user <username>,
It has come to our attention that your one of five winners this month from YourFreeiPod.com
Please see the attachment in the email for further details.
Thank you for using YourFreeiPod.com!
The YourFreeiPod Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<varies>
Dear <username> Member,
Please claim your free iPod Movie mediaplayer
Us here at YourFreeiPod.com like to treat our members so we give away a free iPod every month.
Attached to this email is the details on how you can claim your prize
Sincerely,The YourFreeiPod Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<varies>
Dear <username> Member,
Your e-mail account was picked from an online site www.YourFreeiPod.com. Since we did pull your name from the hat you are intitled to receive FREE 4GB Black iPod Nano.
Please read the attachment in this email for further instructions. If you choose to ignore our request, you leave us no choice but to forfeit your winnings.
Virtually yours,
The YourFreeiPod Team
+++ Attachment: No Virus found Scanned with Nod32
+++ <varies> Antivirus - www.<varies>
It generates attachment names by combining the following file names:
claim-prize
ship-prize
merchandise
winnings
details
accept-terms
terms
with the following extensions:
pif
scr
exe
cmd
bat
Payload
Modifies System Security Settings
The worm modifies the following registry entry to prevent the Windows Firewall/Internet Connection Sharing (ICS) service from starting automatically when Windows starts:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess = 4
(Note that the default value for SharedAccess = 3)
Backdoor Functionality
The worm connects to a specified IRC server and joins a specified IRC channel to receive commands from a remote attacker. Such commands may include downloading, uploading and executing files on the affected machine.
