Weekly Report on Viruses and Intruders – Mytob.LX worm, Ryknos.G and Downloader.GPH trojans

The Mytob.LX worm is mass-mailed in an email message that informs users that in order to continue using the services of a certain security company, they must visit a web page (in order to confirm their email address). However, when users access this website, a file called Confirmation_Sheet.pif is downloaded, which is a copy of Mytob.LX

When it has been installed on a computer, this worm looks for email addresses (in temporary Internet files, the user’s address book and files with certain extensions) which contain certain text strings. It then sends itself to the addresses it finds using its own SMTP engine. To contact remote SMTP servers, Mytob.LX adds one of the following prefixes to the mail domain: gate, mail1, mail, mx, mx1, mxs, ns, relay and smtp.

Mytob.LX opens a backdoor to connect to an IRC server to receive control commands. This worm also ends various processes, if they are active. Some of these processes correspond to antivirus solutions. It also modifies the host file to prevent the user form accessing various websites belonging to security companies.

The backdoor Trojan in this week’s report is Ryknos.G which cannot spread using its own means but needs to be distributed manually by third-parties (via email, Internet downloads, file transfers via FTP or other means). To avoid detection and analysis, it does not run on computers called “sandbox” with the username “CurrentUser” (as this data is normally used in computers used to capture and analyze malware).

Ryknos.G carries out various actions on the computers it infects, including the following:

– It ends processes belonging to various firewalls and antivirus programs, leaving the PC unprotected.

– It connects to the #ran2 channel of an IRC to receive remote control commands to carry out.

– It generates several entries in the Windows Registry in order to ensure it is run whenever Windows is started up.

We are going to finish this week’s report with Downloader.GPH, a Trojan that displays an error message when it is run. What’s more, it downloads a file to affect computers, which downloads and runs several files corresponding to a worm and a Trojan.




Share this