Mytob.au is a new variant of Mytob family of worms. Unlike the previous variants which used email and LSASS vulnerability in spreading, this variant only uses emails.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The worm is a PE executable file 33280 bytes long, packed with Yoda's crypt and Morphine.
When run, the worm copies under %SYSTEM% directory using the name '1hellbot.exe' and creates a named mutex 'H-e-l-l-B-o-t-3!!!'.
It then alters registry entries to ensure that it is started when a user logs on or the system is restarted:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "HELLBOT TEST" = "1hellbot.exe"
The worm spreads by sending its infected attachment to email addresses found on an infected computer. email addresses are harvested from Windows address book and from files with the following extensions:
txt htm sht jsp cgi xml php asp dbx tbb adb wab pl
The worm avoids sending emails to email addresses that contain any of the following substrings:
syma icrosof msn. hotmail panda sopho borlan inpris example mydomai nodomai ruslis .gov gov. .mil foo. berkeley unix math mit.e fsf. ibm.com google kernel linux fido usenet iana ietf rfc-ed sendmail arin. ripe. isi.e isc.o secur acketst tanford.e utgers.ed mozilla be_loyal: root info samples postmaster webmaster noone nobody nothing anyone someone your bugs rating site contact soft somebody privacy service help submit feste gold-certs the.bat page admin icrosoft support ntivi unix linux listserv certific google accoun fcnz secur abuse
The email message is composed from randomly chosed subject line, body text and additional parts. The worm has a selection of attachment names that it uses for its attachment. The subject of infected emails is selected from the following variants:
Notice: **Last Warning** Your email account access is restricted Your Email Account is Suspended For Security Reasons Notice:***Your email account will be suspended*** Security measures Email Account Suspension *IMPORTANT* Please Validate Your Email Account *IMPORTANT* Your Account Has Been Locked
Body text is selected from the following list:
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. To unblock your email account acces, please see the attachment. Follow the instructions in the attachment. We have suspended some of your email services, to resolve the problem you should read the attached document. To safeguard your email account from possible termination , please see the attached file. please look at attached document. Account Information Are Attached!
The attachment name is composed using predefined keywords. The keywords set is:
email-info email-text email-doc information your_details INFO IMPORTANT info-text
And extension keywords set is:
bat cmd exe scr pif
For example:
IMPORTANT.scr
The worm tries to connect to IRC channel at predefined address. The attacker who knows channel password can instruct the bot to execute the following actions:
Request worm uptime Request worm version Shutdown worm Download and execute files Delete files Update worm
Mytob.au tries to terminate processes with the following name:
regedit.exe msconfig.exe cmd.exe taskmgr.exe netstat.exe zapro.exe navw32.exe navapw32.exe zonealarm.exe wincfg32.exePandaAVEngine.exe
It will also update system hosts file in order to disable Anti-Virus companies database updates. Following hostnames are redirected to localhost IP address (127.0.0.1):
www.symantec.com securityresponse.symantec.com symantec.com www.sophos.com sophos.com www.mcafee.com mcafee.com liveupdate.symantecliveupdate.com www.viruslist.com viruslist.com viruslist.com f-secure.com www.f-secure.com kaspersky.com kaspersky-labs.com www.avp.com www.kaspersky.com avp.com www.networkassociates.com networkassociates.com www.ca.com ca.com mast.mcafee.com my-etrust.com www.my-etrust.com download.mcafee.com dispatch.mcafee.com secure.nai.com nai.com www.nai.com update.symantec.com updates.symantec.com us.mcafee.com liveupdate.symantec.com customer.symantec.com rads.mcafee.com trendmicro.com www.trendmicro.com www.grisoft.com www.microsoft.com