W32/Mytob.gen@MMType Virus

W32/Mytob.gen@MMType Virus SubType Email Generic Discovery Date 03/02/2005 Length Varies Minimum DAT 4438 (03/02/2005) Updated DAT 5249 (03/11/2008) Minimum Engine 5.1.00 Description Added 03/02/2005 Description Modified 05/18/2005 12:08 PM (PT) Type
Type of threat.
SubType
Additional type information.
Discovery Date
Date that AVERT discovered this threat.
Length
File size, in bytes, of the threat.
Minimum DAT
McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.

Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.

For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.
Updated DAT
McAfee DAT files are constantly being updated to enhance detection capabilities. The Updated DAT field specifies the released DAT version that contains the most up to date detection.
Minimum Engine
The scan engine uses the DAT files to detect threats. The Minimum Engine field specifies the lowest/oldest engine version that is capable of detecting this threat. The highest/newest engine version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Description Added
Date/time this description was published using Pacific Time.
Description Modified
Date/time this description was last modified using Pacific Time.
Risk Assessment
Corporate User Low
Home User Low Tab Navigation
Overview Characteristics Symptoms Method of Infection Removal Variants All Information Overview
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases
Net-Worm.Win32.Mytob (AVP) W32.Mytob W32/Mytob Characteristics

-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.

-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit , contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.

-- Update March 2 4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not be identified by file hash or size as the virus appends garbage to the end of the executable.

55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d) 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249) 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40) These new variants create a file named hellmsn.exe on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--

This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

Error Status Server Report Mail Transaction Failed Mail Delivery System hello hi Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

examples (common names, but can be random) doc.bat document.zip message.zip readme.zip text.pif hello.cmd body.scr test.htm.pif data.txt.exe file.scr In the case of two file extensions, multiple spaces may be inserted as well, for example:

document.htm (many spaces) .pif When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe . Registry keys are created to load this file at startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "LSA" = wfdmgr.exe Additional keys/values are created, which are typically associated with W32/Sdbot.worm:

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe HKEY_CURRENT_USER\Software\Microsoft\OLE
"LSA" = wfdmgr.exe
Symptoms

The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit [ http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ]


Method of Infection

The mailing component harvests address from the local system. Files with the following extensions are targeted:

wab adb tbb dbx asp php sht htm txt pl The worm avoids certain address, those using the following strings:

.gov .mil abuse acketst arin. avp berkeley borlan bsd example fido foo. fsf. gnu google gov. hotmail iana ibm.com icrosof ietf inpris isc.o isi.e kernel linux math mit.e mozilla msn. mydomai nodomai panda pgp rfc-ed ripe. ruslis secur sendmail sopho syma tanford.e unix usenet utgers.ed Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael john alex Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

mx. mail. smtp. mx1. mxs. mail1. relay. ns.
Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations


Variants
Variants
N/A

All Information
Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases
Net-Worm.Win32.Mytob (AVP) W32.Mytob W32/Mytob
Characteristics
Characteristics -

-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.

-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit , contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.

-- Update March 2 4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not be identified by file hash or size as the virus appends garbage to the end of the executable.

55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d) 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249) 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40) These new variants create a file named hellmsn.exe on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--

This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

Error Status Server Report Mail Transaction Failed Mail Delivery System hello hi Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

examples (common names, but can be random) doc.bat document.zip message.zip readme.zip text.pif hello.cmd body.scr test.htm.pif data.txt.exe file.scr In the case of two file extensions, multiple spaces may be inserted as well, for example:

document.htm (many spaces) .pif When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe . Registry keys are created to load this file at startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "LSA" = wfdmgr.exe Additional keys/values are created, which are typically associated with W32/Sdbot.worm:

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe HKEY_CURRENT_USER\Software\Microsoft\OLE
"LSA" = wfdmgr.exe

Symptoms


The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit [ http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ]


Method of Infection



The mailing component harvests address from the local system. Files with the following extensions are targeted:

wab adb tbb dbx asp php sht htm txt pl The worm avoids certain address, those using the following strings:

.gov .mil abuse acketst arin. avp berkeley borlan bsd example fido foo. fsf. gnu google gov. hotmail iana ibm.com icrosof ietf inpris isc.o isi.e kernel linux math mit.e mozilla msn. mydomai nodomai panda pgp rfc-ed ripe. ruslis secur sendmail sopho syma tanford.e unix usenet utgers.ed Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael john alex Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

mx. mail. smtp. mx1. mxs. mail1. relay. ns.
Removal -
Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).