The Mytob.bd worm-backdoor appeared in the very end of May 2005. It sends emails with a URL to a website that hosts an infected file and also contains an IRC-controlled backdoor.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The worm is a PE executable file 26541 bytes long, packed with a new version of Unpack file compressor.
When run, the worm creates a mutex with the name 'H-B-O-T-H-T-M-L-TEST'. Then it copies itself as TEST3.EXE file to Windows System folder and creates a starup key for this file in the Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "WINDOWS SYSTEM" = "test3.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "WINDOWS SYSTEM" = "test3.exe"
The worm also modifies the following key value:
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess "Start" = dword:00000004
The worm has the capability to restore its file and startup keys in the Registry if they are modified or deleted.
To get the victims' email addresses the worm reads user's Address Book and also scans files with the following extensions on all hard disks and RAM drives:
txt htm sht jsp cgi xml php asp dbx tbb adb pl wab
The worm scans Internet Explorer cache folders and Windows System folder. The worm ignores email addresses with any of the following substrings:
avp syma icrosof msn. hotmail panda sopho borlan inpris example mydomai nodomai ruslis .gov gov. .mil foo. berkeley unix math bsd mit.e gnu fsf. ibm.com google kernel linux fido usenet iana ietf rfc-ed sendmail arin. ripe. isi.e isc.o secur acketst pgp tanford.e utgers.ed mozilla root info samples postmaster webmaster noone nobody nothing anyone someone your you me bugs rating site contact soft no somebody privacy service help not submit feste ca gold-certs the.bat page admin icrosoft support ntivi unix bsd linux listserv certific google accoun spm spam
The worm sends email messages with different subjects. Here's the list of subject texts that the worm uses:
Notice: **Last Warning** *IMPORTANT* Please Validate Your Account Account Alert Important Notification *IMPORTANT* Please Confirm Your Account Security measures Notice of account limitation
The body text of the email messages sent by the worm is static:
Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons Thank you for your attention to this question. We apologize for any inconvenience. Sincerely,Security Department Assistant.
where <domain_name> is the recipient's email account domain name.
It should be noted that the email is composed in HTML format and it contains a URL that looks like that:
http://www./confirm.php?email=
where <domain_name> is the recipient's email account domain name and <recipients_email> is the recipient's email address. Here's an example:
Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, Security Department Assistant.
But actually the URL points to a website with the IP address 62.193.220.183 that should host an infected file. However this website is already down and we can't check what the name of the infected file is and how it is sent to a recipient who clicks on the URL.
The worm fakes the sender's email address. It is composed from the following user names:
Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, Security Department Assistant.
and the recipient's email account domain name.
When the worm is active it tries to connect to the following IRC server and channel:
Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, Security Department Assistant.
If the connection is successful, the worm creates a bot in that channel. A hacker can send commands to a bot in order to control an infected computer. A hacker can do any of the following:
When the worm is active in memory it looks for and terminates processes with the following names:
Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, Security Department Assistant.
In addition the worm modifies HOSTS file to block access to the following websites:
Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, Security Department Assistant.
The modified HOSTS file is detected as 'Trojan.Win32.Qhost.cd'.