Mytob.U_2 is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. Mytob.U_2 has a file size of 97,280 bytes. It uses the network connection: - Looks for an Internet connection.
- Connects to "spm.slo-partija.info" on port 48275 (TCP).
- Sends data stream (12 bytes) to remote address "spm.slo-partija.info", port 48275.
- Sends data stream (50 bytes) to remote address "spm.slo-partija.info", port 48275.
- Connects to IRC Server.
- IRC: Uses nickname [I]bhdpwilevzxc.
Mytob.U_2 drops the following files on the hard drive: - C:\WINDOWS\SYSTEM32\rnathchk.exe (97280 bytes)
- C:\pic.scr (97280 bytes)
- C:\see_this!.pif (97280 bytes)
- C:\my_picture.scr (97280 bytes)
It also changes Windows registry: - Creates value "RealPlayer Ath Check"="rnathchk.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
- Creates value "RealPlayer Ath Check"="rnathchk.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
- Creates value "RealPlayer Ath Check"="rnathchk.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
- Creates key "HKCU\Software\Microsoft\OLE".
- Sets value "RealPlayer Ath Check"="rnathchk.exe" in key "HKCU\Software\Microsoft\OLE".
- Creates key "HKCU\Software\SYSTEM\CurrentControlSet\Control\Lsa".
- Sets value "RealPlayer Ath Check"="rnathchk.exe" in key "HKCU\Software\SYSTEM\CurrentControlSet\Control\Lsa".
- Creates key "HKLM\Software\Microsoft\OLE".
- Sets value "RealPlayer Ath Check"="rnathchk.exe" in key "HKLM\Software\Microsoft\OLE".
- Sets value "RealPlayer Ath Check"="rnathchk.exe" in key "HKLM\System\CurrentControlSet\Control\Lsa".
It creates the following mutex to ensure only one instance is running: I_FUCK_DEAD_PPL. It also has possible backdoor functionality [unknown] port 36276, is executed every time Windows starts.
|
