Mytob
Mytob
Type Multi-vector worm
Creator Diabl0 and Coder*
Date Discovered 2005.02.26
Place of Origin Salé, Morocco
Source Language
Platform MS Windows
File Type(s) .exe, .pif
Infection Length 42,512 Bytes
Reported Costs

Mytob is a worm that opens backdoors for crackers. Its code was based partly on Mydoom and many variants were created by the same coder who later created the Zotob worm.

Behavior

Mytob may arrive on a system in one of two ways, either by email or through exploiting a vulnerability in LSASS, or one of eight other vulnerabilities which allow remote code execution.
When arriving through email, it may have one of the following subject lines:

  • Error
  • Status
  • Server Report
  • Mail Transaction Failed
  • Mail Delivery System
  • hello
  • hi

The name of the attachment may be one of the following:

  • body
  • message
  • test
  • data
  • file
  • text
  • doc

And the file extension may be one of the following:

  • bat
  • cmd
  • exe
  • scr
  • pif

It may also come in a .zip file, in which case, the file will have a double extension, which can include one of the following extensions coming before one of the five listed above:

  • .doc
  • .txt
  • .htm
  • .html

When executed, the worm copied itself to the system folder msnmsgr.exe and creates a mutex named D66. It adds the value "MSN = msnmsgr.exe" to several local machine and current user Run, RunServices and RunOnce registry keys. These ensure the worm will run every time the computer boots, even before the user logs in. It also adds the value "dir0 = 012345:[CONFIGURABLE PATH]" to the Kazaa local content registry key and copies itself to the Kazaa path so it can spread to other Kazaa users.
It may attempt to connect to an MS SQL server and copy itself to the computer hosting the server. If the server is password protected, the worm has several hard-coded passwords it will try to use. These include:

  • null
  • Rendszergazda
  • Beheerder
  • amministratore
  • hallintovirkailijat
  • Administrat
  • Administrateur
  • administrador
  • Administrador
  • administrator
  • Administrator
  • ADMINISTRATOR
  • Password
  • password
  • admin
  • 123

It uses most of these as well as over 100 other weak passwords when it attempts to copy itself over network shares. Mytob then harvests email addresses from the address book and the following file types:

  • adb
  • asp
  • dbx
  • htm
  • php
  • pl
  • sht
  • tbb
  • wab

It avoids email addresses with several strings, mostly a few notable companies, addresses that indicate a webmaster, system administrator or an antivirus company.

Mytob connects to an IRC server to listen for commands from anyone who knows how to find the worm. The commands the worm can execute from the other end include scanning for more vulnerable computers, downloading or uploading files, listing running processes, killing those processes, stealing cached passwords, starting a local server (http, ftp, tftp), searching for files on the machine, capturing screenshots, clipboard data, or webcam footage, visit URLs, flush DNS and ARP caches, open a commands shell on the machine and intercept packages on the network. It also logs keystrokes from windows with titles with the names bank, login, e-bay, ebay or paypal.

Variants

Mytob creators produced enough variants to go through the alphabet several times. Antivirus detections for a particular variant disagree, as Mytob.EE for Symantec's detection might be Mytob.BC for another and Mytob.QW for yet another. Trend Micro reported 125 variants in three months.

Mytob.AR adds spyware and adware to infected computers. It logs keystrokes and can be used to steal passwords.

Mytob.CM was the most common malware of early June 2005. It turns off security applications and opens a backdoor on the system.

Origin

Sophos security consultant Carole Theriault noted similarities between Mytob and Mydoom, suggesting they could come from the same creator. Sophos also believes the worm originates from the Hellbot worm coder group. Authorities working in Morocco and Turkey arrested two men, Farid Essebar (فريد الصبار) in Morocco and Atilla Ekici, for allegedly coding this worm as well as the Zotob worm. Essebar is believed to have actually coded the worms with payment from Ekici.

Essebar's worm coding likely began when he received a copy of Mydoom source code from a British cracker while living for a year with his mother in Russia. He was self-taught and had no formal training in computer programming. In addition to the worms, he was also charged with credit card fraud and spent 15 months in prison. The arrest and conviction were controversial with some, as they believed Moroccan authorities had nothing but some orders from the US to arrest him.

Effects

Mytob variants were prolific enough to make several top-10 virus/worm charts in 2005. In May of that year, one email-filtering firm blocked 69,000 copies of the worm. CNN, ABC and Daimler-Chrysler were infected with the worm.

Sources

F-Secure, Worm:W32/Mytob.A.

Takayoshi Nakayama. Symantec, W32.Mytob@mm. 2007.02.13

Microsoft. Microsoft Security Bulletin MS04-011.

John Leyden. The Register, Window of exposure lets viruses run rampant. 2005.06.02

-. -, Hackers plot to create massive botnet. 2005.06.03

Robert Lemos. SecurityFocus, The Register, Zotob suspects arrested in Turkey and Morocco. 2005.08.30

Radovane. Maghress, Zotob is made in Morocco !!. 2005.09.03 (French)

YC. Maghress, Relaxation de Farid Essabar, le présumé concepteur du virus " Zotob"". 2006.12.18 (French)

VBSpiders Forum, الي رواد منتديات العناكب: مادا تعرفون عن فريد الصبــــــار. (Arabic)

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License