Si tratta di una variante della nota famiglia di worm Mydoom, si diffonde attraverso la posta elettronica e all’interno delle reti peer-to-peer per la condivisione di file P2P. Per diffondersi usa le funzioni di un trojan di tipo BOT sfruttando la nota vulnerabilita LSASS.
Viene riconosciuto anche come: Mytob.EW, I-Worm.Mytob.GN, I-Worm/Mytob.IX, Malware.a!zip, Net-Worm.Win32.Mytob.bl, Posible-Worm-Zip-DobleExtension, W32.Mytob.EO@mm, W32/Mydoom.AY.worm, W32/MyTob.EO-mm, W32/Mytob.EW, Win32.HLLM.MyDoom.42, Win32.Mytob!ZIP, Win32.Worm.Mytob.BL, Win32/Mytob.117760!Worm, Win32/Mytob.EW, Worm.Mytob.CZ, Worm/Mytob.GH
Dimensione: 117,760 Byte
Dettagli tecnici.
Quando si esegue il worm crea la seguente copia di se stesso nel sistema infettato:
c:\windows\system32\dcomuser.exe
A seconda della versione del sistema operativo, le cartelle "c:\windows" e "c:\windows\system32" possono variare ("c:\winnt", "c:\winnt\system32", "c:\windows\system").
Modifica le seguenti chiavi all’interno del Registro di sistema, in modo tale da essere eseguito in automatico ad ogni avvio del sistema:
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WINDOWS SYSTEM = c:\windows\system32\dcomuser.exe
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices WINDOWS SYSTEM = c:\windows\system32\dcomuser.exe
Modifica anche la seguente chiave per abbassare il livello di sicurezza del sistema infettato:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start = 4
Per trovare gli indirizzi ai quali inviare dei messaggi infetti, il worm compie una ricerca all’interno della rubrica di Windows e in tutti i file presenti nelle seguenti cartelle:
• C:\WINDOWS\Temporary Internet Files\
• C:\Documents and Settings\[utente]\Impostazioni locali\file temporanei Internet\
• C:\windows\system32\
Effettua la ricerca degli indirizzi anche nei file con le seguenti estensioni
• .adb
• .asp
• .cgi
• .dbx
• .htm
• .html
• .jsp
• .php
• .sht
• .tbb
• .txt
• .wab
• .xml
Evita di inviarsi agli indirizzi che contengono le seguenti stringhe:
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
bat
berkeley
borlan
bsd
bugs
ca
certific
contact
example
fcn
feste
fido
foo.
gnu
gold-certs
google
gov.
help
hotmail
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
msn.
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the
unix
usenet
utgers.ed
webmaster
you
your
Usa un proprio motore SMTP per inviare i suoi messaggi. Per selezionare il server, aggiunge all’inizio dei domini degli indirizzi scelti, una delle seguenti stringhe:
gate.
mail.
mail1.
mx.
mx1.
mxs.
ns.
relay.
smtp.
Il messaggio che il worm utilizza per diffondersi presenta le seguenti caratteristiche:

Mittente: [indirizzo contraffatto]
Puo usare gli indirizzi creati con alcuni dei seguenti nomi, ai quali aggiunge un dominio scelto a caso dagli indirizzi ottenuti in precedenza:
adam
alex
alice
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom
Oggetto: [uno dei seguenti]
• *DETECTED* Online User Violation
• Email Account Suspension
• Important Notification
• Members Support
• Notice of account limitation
• Security measures
• Warning Message: Your services near to be closed.
• Your Account is Suspended
• Your Account is Suspended For Security Reasons
Testo del messaggio: [uno dei seguenti]:
• Dear user [nome utente], You have successfully updated the password of your [dominio] account. If you did not authorize this change or if you need assistance with your account, please contact [dominio] customer service at: [dominio] Thank you for using [dominio]! The [dominio] Support Team
• Dear user [nome utente], It has come to our attention that your [dominio] User Profile ( x ) records are out of date. For further details see the attached document. Thank you for using [dominio]! The [dominio] Support Team +++ Attachment: No Virus (Clean) +++ [dominio] Antivirus - www.[dominio]
• Dear [dominio] Member, We have temporarily suspended your email account [nome utente]. This might be due to either of the following reasons: 1. A recent change in your personal information (i.e. change of address). 2. Submiting invalid information during the initial sign up process. 3. An innability to accurately verify your selected option of subscription due to an internal error within our processors. See the details to reactivate your [dominio] account. Sincerely,The [dominio] Support Team +++ Attachment: No Virus (Clean) +++ [dominio] Antivirus - www.[dominio]
• Dear [dominio] Member, Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service. If you choose to ignore our request, you leave us no choice but to cancel your membership. Virtually yours, The [dominio] Support Team +++ Attachment: No Virus found +++ [dominio] Antivirus - www.[dominio]
Allegato: [uno dei seguenti]
• [caratteri a caso].???
• accepted-password.???
• account-details.???
• account-info.???
• account-password.???
• account-report.???
• approved-password.???
• document.???
• email-details.???
• email-password.???
• important-details.???
• new-password.???
• password.???
• readme.???
• updated-password.???
Dove”???” puo essere una delle seguenti estensioni:
.bat
.cmd
.exe
.pif
.scr
.zip
Quando l’allegato ha l’estensione .ZIP l’archivio contiene il codice del worm con lo stesso nome e la doppia estensione, dove la prima estensione sara una delle seguenti:
• .doc
• .htm
• .html
• .txt
E la seconda:
• .exe
• .pif
• .scr
Il componente BOT del worm usa la porta TCP 6667 per connettersi a un server IRC, dove rimane in attesa di ricevere dei comandi. Usando la backdoor installata dal worm, un malintenzionato potra effettuare le seguenti azioni sul computer infettato:
• Scaricare file
• Eseguire file
• Eliminare file
• Aggiornare se stesso
• Ottenere informazioni sul computer infettato
• Eseguire comandi di IRC
• Riavviare il computer
Modifica il file HOSTS per impedire all’utente di accedere ai seguenti siti:
• 127 .0 .0 .1 www .symantec .com
• 127 .0 .0 .1 securityresponse .symantec .com
• 127 .0 .0 .1 symantec .com
• 127 .0 .0 .1 www .sophos .com
• 127 .0 .0 .1 sophos .com
• 127 .0 .0 .1 www .mcafee .com
• 127 .0 .0 .1 mcafee .com
• 127 .0 .0 .1 liveupdate .symantecliveupdate .com
• 127 .0 .0 .1 www .viruslist .com
• 127 .0 .0 .1 viruslist .com
• 127 .0 .0 .1 viruslist .com
• 127 .0 .0 .1 f-secure .com
• 127 .0 .0 .1 www .f-secure .com
• 127 .0 .0 .1 kaspersky .com
• 127 .0 .0 .1 kaspersky-labs .com
• 127 .0 .0 .1 www .avp .com
• 127 .0 .0 .1 www .kaspersky .com
• 127 .0 .0 .1 avp .com
• 127 .0 .0 .1 www .networkassociates .com
• 127 .0 .0 .1 networkassociates .com
• 127 .0 .0 .1 www .ca .com
• 127 .0 .0 .1 ca .com
• 127 .0 .0 .1 mast .mcafee .com
• 127 .0 .0 .1 my-etrust .com
• 127 .0 .0 .1 www .my-etrust .com
• 127 .0 .0 .1 download .mcafee .com
• 127 .0 .0 .1 dispatch .mcafee .com
• 127 .0 .0 .1 secure .nai .com
• 127 .0 .0 .1 nai .com
• 127 .0 .0 .1 www .nai .com
• 127 .0 .0 .1 update .symantec .com
• 127 .0 .0 .1 updates .symantec .com
• 127 .0 .0 .1 us .mcafee .com
• 127 .0 .0 .1 liveupdate .symantec .com
• 127 .0 .0 .1 customer .symantec .com
• 127 .0 .0 .1 rads .mcafee .com
• 127 .0 .0 .1 trendmicro .com
• 127 .0 .0 .1 www .trendmicro .com
Infine tenta di terminare i seguenti processi, alcuni dei quali relativi a diversi antivirus e applicazioni di sicurezza:
• _avp32.exe
• _avpcc.exe
• _avpm.exe
• ackwin32.exe
• adaware.exe
• advxdwin.exe
• agentsvr.exe
• agentw.exe
• alertsvc.exe
• alevir.exe
• alogserv.exe
• amon9x.exe
• anti-trojan.exe
• antivirus.exe
• ants.exe
• apimonitor.exe
• aplica32.exe
• apvxdwin.exe
• arr.exe
• atcon.exe
• atguard.exe
• atro55en.exe
• atupdater.exe
• atupdater.exe
• atwatch.exe
• au.exe
• aupdate.exe
• aupdate.exe
• autodown.exe
• autodown.exe
• auto-protect.nav80try.exe
• autotrace.exe
• autotrace.exe
• autoupdate.exe
• autoupdate.exe
• avconsol.exe
• ave32.exe
• avgcc32.exe
• avgctrl.exe
• avgnt.exe
• avgserv.exe
• avgserv9.exe
• avguard.exe
• avgw.exe
• avkpop.exe
• avkserv.exe
• avkservice.exe
• avkwctl9.exe
• avltmain.exe
• avnt.exe
• avp.exe
• avp32.exe
• avpcc.exe
• avpdos32.exe
• avpm.exe
• avptc32.exe
• avpupd.exe
• avpupd.exe
• avsched32.exe
• avsynmgr.exe
• avwinnt.exe
• avwupd.exe
• avwupd32.exe
• avwupd32.exe
• avwupsrv.exe
• avxmonitor9x.exe
• avxmonitornt.exe
• avxquar.exe
• avxquar.exe
• backweb.exe
• bargains.exe
• bd_professional.exe
• beagle.exe
• belt.exe
• bidef.exe
• bidserver.exe
• bipcp.exe
• bipcpevalsetup.exe
• bisp.exe
• blackd.exe
• blackice.exe
• blss.exe
• bootconf.exe
• bootwarn.exe
• borg2.exe
• bpc.exe
• brasil.exe
• bs120.exe
• bundle.exe
• bvt.exe
• ccapp.exe
• ccevtmgr.exe
• ccpxysvc.exe
• cdp.exe
• cfd.exe
• cfgwiz.exe
• cfiadmin.exe
• cfiaudit.exe
• cfiaudit.exe
• cfinet.exe
• cfinet32.exe
• claw95cf.exe
• clean.exe
• cleaner.exe
• cleaner3.exe
• cleanpc.exe
• click.exe
• cmd.exe
• cmd32.exe
• cmesys.exe
• cmgrdian.exe
• cmon016.exe
• connectionmonitor.exe
• cpd.exe
• cpf9x206.exe
• cpfnt206.exe
• ctrl.exe
• cv.exe
• cwnb181.exe
• cwntdwmo.exe
• datemanager.exe
• dcomx.exe
• defalert.exe
• defscangui.exe
• defwatch.exe
• deputy.exe
• divx.exe
• dllcache.exe
• dllreg.exe
• doors.exe
• dpf.exe
• dpfsetup.exe
• dpps2.exe
• drwatson.exe
• drweb32.exe
• drwebupw.exe
• dssagent.exe
• dvp95.exe
• dvp95_0.exe
• ecengine.exe
• efpeadm.exe
• emsw.exe
• ent.exe
• esafe.exe
• escanhnt.exe
• escanv95.exe
• espwatch.exe
• ethereal.exe
• etrustcipe.exe
• evpn.exe
• exantivirus-cnet.exe
• exe.avxw.exe
• expert.exe
• explore.exe
• fameh32.exe
• fast.exe
• fch32.exe
• fih32.exe
• findviru.exe
• firewall.exe
• fnrb32.exe
• fprot.exe
• f-prot.exe
• f-prot95.exe
• fp-win.exe
• fp-win_trial.exe
• frw.exe
• fsaa.exe
• fsav.exe
• fsav32.exe
• fsav530stbyb.exe
• fsav530wtbyb.exe
• fsav95.exe
• fsgk32.exe
• fsm32.exe
• fsma32.exe
• fsmb32.exe
• f-stopw.exe
• gator.exe
• gbmenu.exe
• gbpoll.exe
• generics.exe
• gmt.exe
• guard.exe
• guarddog.exe
• hacktracersetup.exe
• hbinst.exe
• hbsrv.exe
• hotactio.exe
• hotpatch.exe
• htlog.exe
• htpatch.exe
• hwpe.exe
• hxdl.exe
• hxiul.exe
• iamapp.exe
• iamserv.exe
• iamstats.exe
• ibmasn.exe
• ibmavsp.exe
• icloadnt.exe
• icmon.exe
• icsupp95.exe
• icsuppnt.exe
• idle.exe
• iedll.exe
• iedriver.exe
• iexplorer.exe
• iface.exe
• ifw2000.exe
• inetlnfo.exe
• infus.exe
• infwin.exe
• init.exe
• intdel.exe
• intren.exe
• iomon98.exe
• istsvc.exe
• jammer.exe
• jdbgmrg.exe
• jedi.exe
• kavlite40eng.exe
• kavpers40eng.exe
• kavpf.exe
• kazza.exe
• keenvalue.exe
• kerio-pf-213-en-win.exe
• kerio-wrl-421-en-win.exe
• kerio-wrp-421-en-win.exe
• kernel32.exe
• killprocesssetup161.exe
• launcher.exe
• ldnetmon.exe
• ldpro.exe
• ldpromenu.exe
• ldscan.exe
• lnetinfo.exe
• loader.exe
• localnet.exe
• lockdown.exe
• lockdown2000.exe
• lookout.exe
• lordpe.exe
• lsetup.exe
• luall.exe
• luall.exe
• luau.exe
• lucomserver.exe
• luinit.exe
• luspt.exe
• mapisvc32.exe
• mcagent.exe
• mcmnhdlr.exe
• mcshield.exe
• mctool.exe
• mcupdate.exe
• mcupdate.exe
• mcvsrte.exe
• mcvsshld.exe
• md.exe
• mfin32.exe
• mfw2en.exe
• mfweng3.02d30.exe
• mgavrtcl.exe
• mgavrte.exe
• mghtml.exe
• mgui.exe
• minilog.exe
• mmod.exe
• monitor.exe
• moolive.exe
• mostat.exe
• mpfagent.exe
• mpfservice.exe
• mpftray.exe
• mrflux.exe
• msapp.exe
• msbb.exe
• msblast.exe
• mscache.exe
• msccn32.exe
• mscman.exe
• msconfig.exe
• msdm.exe
• msdos.exe
• msiexec16.exe
• msinfo32.exe
• mslaugh.exe
• msmgt.exe
• msmsgri32.exe
• mssmmc32.exe
• mssys.exe
• msvxd.exe
• mu0311ad.exe
• mwatch.exe
• n32scanw.exe
• nav.exe
• navap.navapsvc.exe
• navapsvc.exe
• navapw32.exe
• navdx.exe
• navlu32.exe
• navnt.exe
• navstub.exe
• navw32.exe
• navwnt.exe
• ncinst4.exe
• ndd32.exe
• neomonitor.exe
• neowatchlog.exe
• netarmor.exe
• netd32.exe
• netinfo.exe
• netmon.exe
• netscanpro.exe
• netspyhunter-1.2.exe
• netstat.exe
• netutils.exe
• nisserv.exe
• nisum.exe
• nmain.exe
• nod32.exe
• normist.exe
• norton_internet_secu_3.0_407.exe
• notstart.exe
• npf40_tw_98_nt_me_2k.exe
• npfmessenger.exe
• nprotect.exe
• npscheck.exe
• npssvc.exe
• nsched32.exe
• nssys32.exe
• nstask32.exe
• nsupdate.exe
• nt.exe
• ntrtscan.exe
• ntvdm.exe
• ntxconfig.exe
• nui.exe
• nupgrade.exe
• nupgrade.exe
• nvarch16.exe
• nvc95.exe
• nvsvc32.exe
• nwinst4.exe
• nwservice.exe
• nwtool16.exe
• ollydbg.exe
• onsrvr.exe
• optimize.exe
• ostronet.exe
• otfix.exe
• outpost.exe
• outpost.exe
• outpostinstall.exe
• outpostproinstall.exe
• padmin.exe
• panixk.exe
• patch.exe
• pavcl.exe
• pavproxy.exe
• pavsched.exe
• pavw.exe
• pcfwallicon.exe
• pcscan.exe
• pdsetup.exe
• periscope.exe
• persfw.exe
• perswf.exe
• pf2.exe
• pfwadmin.exe
• pgmonitr.exe
• pingscan.exe
• platin.exe
• pop3trap.exe
• poproxy.exe
• popscan.exe
• portdetective.exe
• portmonitor.exe
• powerscan.exe
• ppinupdt.exe
• pptbc.exe
• ppvstop.exe
• prizesurfer.exe
• prmt.exe
• prmvr.exe
• procdump.exe
• processmonitor.exe
• procexplorerv1.0.exe
• programauditor.exe
• proport.exe
• protectx.exe
• pspf.exe
• purge.exe
• qconsole.exe
• qserver.exe
• rapapp.exe
• rav7.exe
• rav7win.exe
• rav8win32eng.exe
• ray.exe
• rb32.exe
• rcsync.exe
• realmon.exe
• reged.exe
• regedit.exe
• regedt32.exe
• rescue.exe
• rescue32.exe
• rrguard.exe
• rshell.exe
• rtvscan.exe
• rtvscn95.exe
• rulaunch.exe
• run32dll.exe
• rundll.exe
• rundll16.exe
• ruxdll32.exe
• safeweb.exe
• sahagent.exe
• save.exe
• savenow.exe
• sbserv.exe
• sc.exe
• scam32.exe
• scan32.exe
• scan95.exe
• scanpm.exe
• scrscan.exe
• setup_flowprotector_us.exe
• setupvameeval.exe
• sfc.exe
• sgssfw32.exe
• sh.exe
• shellspyinstall.exe
• shn.exe
• showbehind.exe
• smc.exe
• sms.exe
• smss32.exe
• soap.exe
• sofi.exe
• sperm.exe
• spf.exe
• sphinx.exe
• spoler.exe
• spoolcv.exe
• spoolsv32.exe
• spyxx.exe
• srexe.exe
• srng.exe
• ss3edit.exe
• ssgrate.exe
• st2.exe
• start.exe
• stcloader.exe
• supftrl.exe
• support.exe
• supporter5.exe
• svc.exe
• svchostc.exe
• svchosts.exe
• svshost.exe
• sweep95.exe
• sweepnet.sweepsrv.sys.swnetsup.exe
• symproxysvc.exe
• symtray.exe
• sysedit.exe
• system.exe
• system32.exe
• sysupd.exe
• taskmg.exe
• taskmgr.exe
• taskmo.exe
• taskmon.exe
• taumon.exe
• tbscan.exe
• tc.exe
• tca.exe
• tcm.exe
• tds2-nt.exe
• tds-3.exe
• teekids.exe
• tfak.exe
• tfak5.exe
• tgbob.exe
• titanin.exe
• titaninxp.exe
• tracert.exe
• trickler.exe
• trjscan.exe
• trjsetup.exe
• trojantrap3.exe
• tsadbot.exe
• tvmd.exe
• tvtmd.exe
• undoboot.exe
• updat.exe
• update.exe
• update.exe
• upgrad.exe
• utpost.exe
• vbcmserv.exe
• vbcons.exe
• vbust.exe
• vbwin9x.exe
• vbwinntw.exe
• vcsetup.exe
• vet32.exe
• vet95.exe
• vettray.exe
• vfsetup.exe
• vir-help.exe
• virusmdpersonalfirewall.exe
• vnlan300.exe
• vnpc3000.exe
• vpc32.exe
• vpc42.exe
• vpfw30s.exe
• vptray.exe
• vscan40.exe
• vscenu6.02d30.exe
• vsched.exe
• vsecomr.exe
• vshwin32.exe
• vsisetup.exe
• vsmain.exe
• vsmon.exe
• vsstat.exe
• vswin9xe.exe
• vswinntse.exe
• vswinperse.exe
• w32dsm89.exe
• w9x.exe
• watchdog.exe
• webdav.exe
• webscanx.exe
• webtrap.exe
• wfindv32.exe
• whoswatchingme.exe
• wimmun32.exe
• win32.exe
• win32us.exe
• winactive.exe
• win-bugsfix.exe
• window.exe
• windows.exe
• wininetd.exe
• wininit.exe
• wininitx.exe
• winlogin.exe
• winmain.exe
• winnet.exe
• winppr32.exe
• winrecon.exe
• winservn.exe
• winssk32.exe
• winstart.exe
• winstart001.exe
• wintsk32.exe
• winupdate.exe
• wkufind.exe
• wnad.exe
• wnt.exe
• wradmin.exe
• wrctrl.exe
• wsbgate.exe
• wupdater.exe
• wupdt.exe
• wyvernworksfirewall.exe
• xpf202en.exe
• zapro.exe
• zapsetup3001.exe
• zatutor.exe
• zonalm2601.exe
• zonealarm.exe
l worm crea il seguente mutex (mutual exclusion, un oggetto di sistema di Windows usato per la sincronia dei thread di programma) per assicurarsi che in memoria sia presente una sola istanza di se stesso.
H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H