W32/Mytob-HZ is a mass-mailing worm with backdoor functionality that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-HZ spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and ASN.1 (MS04-007).
W32/Mytob-HZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Mytob-HZ sends emails in the following format, with details filled in to make the email look more authentic:
Subject line chosen from:
*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons
<random characters>
Message text chosen from (the worm will insert the username and the email domain of the addressee into the email):
Dear <domain> Member,
We have temporarily suspended your email account <domain>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
Sincerely,The <domain> Support Team
Some information about your <domain> account is attached.
The <domain> Support Team
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
Virtually yours,
The attached file consists of a base name followed by the extension ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is BAT, CMD, PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>
W32/Mytob-HZ harvests email addresses from files on the infected computer and from the Windows address book.
W32/Mytob-HZ is a mass-mailing worm with backdoor functionality that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-HZ spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and ASN.1 (MS04-007).
W32/Mytob-HZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Mytob-HZ copies itself to <Windows system folder>\svchosts.exe.
The following registry entries are created to run svchosts.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Cnfg32
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32 Cnfg32
svchosts.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Cnfg32
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Cnfg32
svchosts.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Win32 Cnfg32
svchosts.exe
The file svchosts.exe is registered as a new file system driver service named "shit", with a display name of "shit". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\shit\
W32/Mytob-HZ sends emails in the following format, with details filled in to make the email look more authentic:
Subject line chosen from:
*DETECTED* Online User Violation
*WARNING* Your email account is suspended
Email Account Suspension
Important Notification
Members Support
Notice of account limitation
Security measures
Warning Message: Your services near to be closed.
We have suspended your account
You are banned!!!
Your Account is Suspended
Your Account is Suspended For Security Reasons
<random characters>
Message text chosen from (the worm will insert the username and the email domain of the addressee into the email):
Dear <domain> Member,
We have temporarily suspended your email account <domain>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
Sincerely,The <domain> Support Team
Some information about your <domain> account is attached.
The <domain> Support Team
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
Virtually yours,
The attached file consists of a base name followed by the extension ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is BAT, CMD, PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
<random characters>
W32/Mytob-HZ harvests email addresses from files on the infected computer and from the Windows address book.