Virus

W32/MyTob.PN@mm

Analysis

All MyTob viruses have these characteristics:

  • copy itself to the local system
  • search for email addresses in files
  • send itself by SMTP [self contained engine]

Some variants have these additional characteristics:

  • connect with an IRC server to receive instructions or await commands from a malicious user
  • prevent the infected system from connecting to update servers and various other security related web pages - this is done by hacking the local "hosts" file and adding entries redirecting the call to specific web sites by domain name to the local host
  • try to connect with random IP addresses to infect systems using an RPC DCOM / LSASS exploit combo

The variants will differ slightly with regard to packed file size and actual file names created on the host however the functionality of the viruses remain the same.

Specific Properties

  • writes the file "msconfgh.exe" to the System32 folder, with the following autostart registry entry
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
    "Win32 Cnfg32" = msconfgh.exe

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Runonce
    "Win32 Cnfg32" = msconfgh.exe

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    "Win32 Cnfg32" = msconfgh.exe

    HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
    "Win32 Cnfg32" = msconfgh.exe

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Win32 Cnfg32" = msconfgh.exe

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    "Win32 Cnfg32" = msconfgh.exe

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    "Win32 Cnfg32" = msconfgh.exe

    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32_CNFG32
    "NextInstance" = 01, 00, 00, 00

    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32_CNFG32\0000
    "Class" = LegacyDriver
    "ClassGUID" = {8ECC055D-047F-11D1-A537-0000F8753ED1}
    "ConfigFlags" = 00, 00, 00, 00
    "DeviceDesc" = Win32 Cnfg32
    "Legacy" = 01, 00, 00, 00
    "Service" = Win32 Cnfg32

    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32_CNFG32\0000\Control
    "*NewlyCreated*" = 00, 00, 00, 00
    "ActiveService" = Win32 Cnfg32

  • sends emails with one of these subject lines -
    Notice of account limitation
    Email Account Suspension
    Security measures
    You are banned!!!
    We have suspended your account
    Members Support
    Important Notification
    Warning Message: Your services near to be closed.
    Your Account is Suspended For Security Reasons
    *DETECTED* Online User Violation
    *WARNING* Your email account is suspended
    Your Account is Suspended
  • sends emails with one of four HTML format body texts where undefineds is a portion of the recipient's email address; in the first instance, it is the prefix and in the remaining occurrences, it is the domain -

    Dear user undefineds,
    You have successfully updated the password of your undefineds account.
    If you did not authorize this change or if you need assistance with your account, please contact undefineds customer service at: undefineds
    Thank you for using undefineds!
    The undefineds Support Team
    +++ Attachment: No Virus (Clean)
    +++ undefineds Antivirus - www.undefineds


    Dear user undefineds,
    It has come to our attention that your undefineds User Profile ( x ) records are out of date. For further details see the attached document.
    Thank you for using undefineds!
    The undefineds Support Team
    +++ Attachment: No Virus (Clean)
    +++ undefineds Antivirus - www.undefineds


    Dear undefineds Member,
    We have temporarily suspended your email account undefineds.
    This might be due to either of the following reasons:
    1. A recent change in your personal information (i.e. change of address).
    2. Submiting invalid information during the initial sign up process.
    3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
    See the details to reactivate your undefineds account.
    Sincerely,The undefineds Support Team
    +++ Attachment: No Virus (Clean)
    +++ undefineds Antivirus - www.undefineds


    Dear undefineds Member,
    Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
    If you choose to ignore our request, you leave us no choice but to cancel your membership.
    Virtually yours,
    The undefineds Support Team
    +++ Attachment: No Virus found
    +++ undefineds Antivirus - www.undefineds

  • spoofs the sender email address to match one of these names as a prefix to the from email address -
    register
    mail
    accounts
    administrator
  • the attached file is a .ZIP archive with one of these names -
    account-report
    readme
    document
    account-info
    email-details
    account-details
    information
    important-details
  • connects to an IRC server named 'f00r.dynu.com' and connects to the channel "toby" to await instructions and commands from a malicious user
  • functions as an LSASS/RPC exploit locator (scanner) if the appropriate instruction is sent to the virus via the IRC server backdoor
  • deletes existing shares on the infected system -
    ipc$
    admin$
    c$
    d$
  • terminates processes matching a built-in list of file names
  • opens a command shell on vulnerable systems and executes script instructions to FTP a copy of the virus from the infected system to the exploited system using the logon id "a" and same password
  • infects systems on the same network in the IPC$ share
  • functions as a SOCKS4/SOCKS5 proxy
 

Recommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option