427 Botnet fm qxd

■
McAfee: W32/Mytob.gen@MM
■
Symantec: W32.Mytob@mm
■
Trend Micro: Worm_Mytob.gen
■
Kaspersky: Net-Worm.Win32.Mytob.Gen
■
CA: Win32.Mytob Family
■
Sophos: W32/Mytob-Fam
N
OTE
At the beginning of 2005, the authors of the Mytob worm entered into
a malware war against the Sober worm. Each malware attempted to
outdo the other, sometimes disabling or removing the opposing worm
in the process of infecting a system. The malware war kept antivirus
vendors and corporate administrators on their toes because the escala-
tion sometimes resulted in many new variants of each on a given day.
Infection
Mytob arrives on the target system via e-mail with some sort of file attach-
ment.The purpose of the e-mail is to trick or lure the user into opening and
executing the file attachment, thereby installing the worm on the user’s
system and continuing the cycle of infection and propagation.
Signs of Compromise
If you believe that your computer could be infected with Mytob, there are a
few clues you can look for to verify your suspicions.
System Folder
When a system becomes infected with the Mytob worm, a copy of the mal-
ware is placed in the %System% directory (typically C:\Windows\System32)
named wfdmgr.exe.
www.syngress.com
124
Chapter 4 • Common Botnets
427_Bot_ch04.qxt 1/9/07 3:03 PM Page 124

Registry Entries
Mytob alters one or more of the following registry keys to ensure that it is
started each time Windows starts:
■
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run “LSA” = wfdmgr.exe 
■
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run “LSA” = wfdmgr.exe 
■
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\
RunServices “LSA” = wfdmgr.exe 
■
Additional keys/values are created, which are typically associated with
W32/Sdbot.worm:
■
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Control\Lsa “LSA” = wfdmgr.exe 
■
HKEY_CURRENT_USER\Software\Microsoft\OLE
“LSA” = wfdmgr.exe 
Unexpected Traffic
Mytob is a mass-mailing worm first and foremost. However, it earned a spot
in this book by virtue of being a very successful piece of malware that also
includes bot functionality from the SDBot family. An infected system will
attempt to connect to irc.blackcarder.net and join a specific IRC channel for
further instructions.
Propagation
Mytob spreads almost exclusively via e-mail. Once a system is infected,
Mytob will scan the system for files with file extensions like those shown in
Table 4.10 from which to harvest e-mail addresses The worm tries to fly
under the radar and remain undetected, though. So, the domains listed in
Table 4.11 are eliminated from the harvested e-mail addresses before Mytob
starts generating the spam e-mail messages to try to propagate itself.

Download 6,98 Mb.

Do'stlaringiz bilan baham: