Oh the joys of running webservers and being the admin contact for _many_ domains. I’ve been receiving tons of spam generated by the W32.Mytob.EH@mm worm. We’re talking 10 or 20 a day. Plus I’ve been receiving tons more bounce messages, and a few aggravated “abuse” report emails from aggravated netizens, who’ve received spams where my addresses have been faked in the “From:” field.
(No, I’m not infected – these mails are being generated by other people’s computers. The worm trawls the infected computer’s address book and files, looking for domains names.)
Symantec has a brilliant, detailed description about W32.Mytob.EH@mm. It’s really a textbook case on how to write such a worm:
- Execute’s itself as a windows-looking exe
- Is pre-programmed with the directory locations most likely to contain email addresses: minimising disk activity and therefore human-detection
- Parses email addresses so that just the domain is captured – allowing multiple messages to be sent to different addresses at the same domain
- Avoids sending emails to admin-looking addresses (to reduce the chances of someone techie receiving the mail + knowing what to do with it), and to various educational establishments
- Takes the list of domains and attempts to connect to each domain’s SMTP server to see if it’s an open-relay. When it does locate a venerable SMTP server, the worm masquerades to look like the host computer is from that domain too, to make detection harder.
- Uses the lessons learnt from phishing to creates various different emails that incite the user to open the attachment – the body of the emails looks like it’s come from the administrator or helpdesk of the domain, informing them that their account has been suspended, etc
- Includes the worm as an attached payload for replication
- Connects to an IRC channel to enable zombie control (distributed denial of service, execute local files, etc)
- Blocks access to security-related websites such as Symantec by altering the hosts file to point to localhost
- Attemps to crash antivirus applications so that they cannot detect the worm
It’s a pretty nasty one. Please keep your virus definition files up to date. (You do have an anti-virus application installed, don’t you?)