W32/Mytob-HQ is a worm for the Windows platform.
W32/Mytob-HQ spreads itself using email attachments, instant messaging services, file sharing on P2P networks, network shares protected with weak passwords, buffer overflow vulnerabilitiesand the backdoor functionality of other malware including
Emails sent by the worm have message text such as the following
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
The worm includes IRC backdoor functionality, allowing a remote attacker to control the infected computer through IRC channels.
W32/Mytob-HQ is a worm for the Windows platform.
W32/Mytob-HQ spreads using:
email attachments
instant messaging services
file sharing on P2P networks
network shares protected with weak passwords
buffer overflow vulnerabilities including LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007), IIS5SSL (MS04-011), Dameware (CAN-2003-1030), MSSQL (MS02-039), PNP (MS05-039)
the backdoor functionality of other malware including Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle, Troj/Optix
Messages sent by the worm have the following characteristics:
Subject: one of
hello
hi
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
<no subject>
<random letters>
Message text: one of
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
test
<random data>
<no text>
Attachment name: one of the following basenames
body
message
test
data
file
text
doc
readme
document
<random letters>
The attachment may be either the worm executable (with a PIF, SCR, CMD, BAT or EXE extension) or a zip archive containing the worm executable. The executable may also have a double extension, the fake extension being one of HTM, DOC or TXT.
The worm harvests email addresses from the infected computer and uses these for both the sender and recipient addresses.
W32/Mytob-HQ worm will attempt to send itself over IRC with any of the following filenames:
Nawal-elzoghbi.rm
Elissa+3a9y.rm
Nancy-3ajram.rm
Halima-Poland.rm
Hayfaa-Wahbi.rm
Christina_Aguilera.rm
Jessica_Simpson.rm
Mariah_Carey.rm
Thalia.rm
Beyonce.rm
Jennifer_Lopez.rm
Angilina_Jolie.rm
Madonna.rm
Britney.rm
Nawal-elzoghbi.mpeg
Elissa+3a9y.mpeg
Nancy-3ajram.mpeg
Halima-Poland.mpeg
Hayfaa-Wahbi.mpeg
Christina_Aguilera.mpeg
Jessica_Simpson.mpeg
Mariah_Carey.mpeg
Thalia.mpeg
Beyonce.mpeg
Jennifer_Lopez.mpeg
Angilina_Jolie.mpeg
Madonna.mpeg
Britney.mpeg
Nawal-elzoghbi.ram
Elissa+3a9y.ram
Nancy-3ajram.ram
Halima-Poland.ram
Hayfaa-Wahbi.ram
Christina_Aguilera.ram
Jessica_Simpson.ram
Mariah_Carey.ram
Thalia.ram
Beyonce.ram
Jennifer_Lopez.ram
Angilina_Jolie.ram
Madonna.ram
Britney.ram
Nawal-elzoghbi.mpg
Elissa+3a9y.mpg
Nancy-3ajram.mpg
Halima-Poland.mpg
Hayfaa-Wahbi.mpg
Christina_Aguilera.mpg
Jessica_Simpson.mpg
Mariah_Carey.mpg
Thalia.mpg
Beyonce.mpg
Jennifer_Lopez.mpg
Angilina_Jolie.mpg
Madonna.mpg
Britney.mpg
The worm copies itself to the shared folders of popular P2P applications with any of the following basenames and an executable extension:
nice_big_asshole_fuck_Jennifer_Lopez.scr
Madonna_the_most_sexiest_girl_in_the_world.com
Britney_Spears_sucks_someones_dick.scr
Mariah_Carey_showering_in_bathroom.com
Alcohol_120%%_patch
Outlook_hotmail+_fix
LimeWire_speed++
DarkAngel_Lady_get_fucked_so_hardly
Angilina_Jolie_Sucks_a_Dick
JenniferLopez_Film_Sexy_Enough
BritneySpears_SoSexy
DAP7.4.x.x_crack
NortonAV2006_Crack
YahooMessenger_Loader
MSN7.0UniversalPatch
MSN7.0Loader
KAV2006_Crack
ZoneAlarmPro6.xx_Crack
TaskCatcher
Opera8
notepad++
lcc-win32_update
RealPlayerv10.xx_crack
nuke2006
office_crack
rootkitXP
dcom_patch
strip-girl-3.0
activation_crack
icq2006-final
winamp6
W32/Mytob-HQ terminates the following processes:
ACKWIN32.EXE
ALOGSERV.EXE
AMON.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
ATGUARD.EXE
AVE32.EXE
AVKSERV.EXE
AVNT.EXE
AVPCC.EXE
_AVPCC.EXE
AVPM.EXE
_AVPM.EXE
AVWIN95.EXE
BLACKICE.EXE
CLAW95CF.EXE
CMGRDIAN.EXE
ECENGINE.EXE
ESAFE.EXE
F-PROT95.EXE
FINDVIRU.EXE
_FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
GUARDDOG.EXE
IAMAPP.EXE
IOMON98.EXE
KAVPF.EXE
LOOKOUT.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NOD32.EXE
NSPLUGIN.EXE
OGRC.EXE
OUTPOST.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
RAV7.EXE
RULAUNCH.EXE
SCAN32.EXE
SPIDER.EXE
VET95.EXE
VETTRAY.EXE
VSMAIN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZONALARM.EXE
ZONALM2601.EXE
ZONEALARM.EXE
The worm includes IRC backdoor functionality, allowing a remote attacker to control the infected computer through IRC channels.
When first run W32/Mytob-HQ copies itself to:
<System>\sysmon.exe
The following registry entry is created to run sysmon.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32
<System>\sysmon.exe