Worm:Win32/Mytob.RR is a mass-mailing worm that that targets computers running certain versions of Microsoft Windows and computers across a network. The worm can spread by exploiting Windows vulnerabilities that are fixed by installing Microsoft Security Updates MS03-026 and MS04-011.
The worm can spread by sending a copy of itself through e-mail, AOL Messenger, MSN Messenger, or Windows Messenger. The worm also spreads by copying itself to common shared folders for peer-to-peer file sharing applications such as Morpheus, Limewire, Emule and others. Win32/Mytob.RR has a backdoor component that connects to an IRC server from the infected computer, allowing it to receive commands from attackers.
Installation
Win32/Mytob.RR may arrive via e-mail as an attachment with a long filename in a message spoofed as a Hallmark electronic greeting card, for example:
From: <postcards@ hallmark.com>
To: <recipient>
Date: <date>
Subject: You've received A Hallmark E-Card!
Attachment: <postcard.txt_____________________________________.pif or similar>
Message body:
If the user opens the attachment the worm copies itself with a random file name (such as tlkaiw.exe) in the Windows system folder. The registry is modified in numerous subkeys to run the dropped copy at each Windows start as in the following examples:
Adds value: "F-Secure Gatekeeper"
With data: "tlkaiw.exe"
To these subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\OLE
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\OLE
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Spreads Via…
P2P File Sharing
This worm copies itself using popular filenames to the following common shared folders for several peer-to-peer (P2P) file sharing applications:
%ProgramFiles%\kazaa\my shared folder\
%ProgramFiles%\kazaa lite\my shared folder
%ProgramFiles%\kazaa lite k++\my shared folder
%ProgramFiles%\icq\shared folder
%ProgramFiles%\grokster\my grokster
%ProgramFiles%\emule\incoming
%ProgramFiles%\morpheus\my shared folder
%ProgramFiles%\limewire\shared
%ProgramFiles%\tesla\files
%ProgramFiles%\winmx\shared
Filenames used by the worm could include any of the following, or more:
absolute video converter 3.07.exe
acker dvd ripper 2008.exe
adobe acrobat reader keygen.exe
adobe soundbooth cs3.exe
anti-trojan elite v4.01.exe
aol password cracker.exe
ashampoo powerup v3.10.exe
bitdefender antivirus 2008 keygen.exe
boilsoft dvd ripper 2.82.exe
canvas security framework 2008 limited with 50 0day.exe
cleanmypc registry cleaner v4.02.exe
daemon tools pro 4.10.218.0.exe
divx 5.0 pro keygen.exe
download boost 2.0.exe
email spider.exe
error doctor 2008.exe
google adsense clicking bot.sfx.exe
hotmail account bruteforcer bot.exe
hotmail spammer bot.exe
icepack idt gold edition 2008 leaked.exe
microsoft visual basic keygen.exe
microsoft visual c++ keygen.exe
microsoft visual studio keygen.exe
mirc keygen.exe
norton anti-virus 2008 enterprise crack.exe
password cracker.exe
pc secuity tweaker 7.6.exe
prorat 2.0 special edition.exe
shadow security scanner 10 gold.exe
sophos antivirus updater bypass.exe
super utilities pro 2008 8.0.1980.exe
superram 5.1.28.2008.exe
tarantula full version cracked by razor.exe
tcn iso cable modem hacking tools.exe
tcn iso sigmax2 firmware.bin.exe
vmware esx gsx server keygen.exe
vmware keygen.exe
vmware workstation 6 windows keygen.exe
windows 2003 advanced server keygen.exe
wow glider incl serial.sfx.exe
youtube music downloader 1.0.exe
yzdock machintos osx like toolbar for windows.exe
Users searching for certain programs may be tricked into downloading and running the worm copy.
Computers Connected to a Network
This worm attempts to connect to computers across the local network. When a computer is located, Win32/Mytob.RR attempts to exploit computers that have not yet been updated with Security Bulletins
MS03-026 and
MS04-011. If the worm successfully breaches the target computer, it executes code remotely and requests a copy of the worm from the infected computer.
Instant Messenger Applications
Win32/Mytob.RR can initiate AOL Messenger, Windows Messenger and MSN Messenger and send messages containing a copy of the worm.
E-mail
Win32/Mytob.RR may send itself to contacts found on the infected computer. The outbound e-mail may resemble the following format
From: <postcards@ hallmark.com>
To: <recipient>
Date: <date>
Subject: You've received A Hallmark E-Card!
Attachment: <postcard.txt_____________________________________.pif or similar>
Message body:
Payload
Backdoor Functionality
The worm establishes a connection to the predefined IRC server 'sco.rs-forum.biz' using TCP port 6667 and joins a specified IRC channel to receive commands from a remote attacker. Such commands may include downloading, uploading and executing files on the affected machine. The worm also opens and awaits connections on TCP port 113.
Analysis by Patrick Nolan
