|
Description:
To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.
Malware Overview
Similar to other MYTOB variants, this memory-resident worm propagates by sending a copy of itself as an attachment (file size is around 29,868 to 29,882 bytes) to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.
This email message has the following details:
Subject: (any of the following)
• {Random}
• *DETECTED* Online User Violation
• *IMPORTANT* Please Validate Your Email Account
• *IMPORTANT* Your Account Has Been Locked
• *WARNING* Your Email Account Will Be Closed
• Account Alert
• Email Account Suspension
• Important Notification
• Notice of account limitation
• Notice: **Last Warning**
• Notice:***Your email account will be suspended***
• Security measures
• Your email account access is restricted
• Your Email Account is Suspended For Security Reasons
Message body: (any of the following)
• Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
• please look at attached document.
• Please read the attached document and follow it's instructions.
• Please see the attachement.
• The original message has been included as an attachment.
• To safeguard your email account from possible termination, please see the attached file.
• To unblock your email account acces, please see the attachement.
• We attached some important information regarding your account.
• We have suspended some of your email services, to resolve the problem you should read the attached document.
• We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
Attachment: (.ZIP file around which contains a copy of this worm with any combination of the following file names and extension names)
File name:
• {random}
• account-details
• document
• document_full
• email-doc
• email-info
• info
• information
• info-text
• instructions
• your_details
Extension name:
• BAT
• CMD
• EXE
• PIF
• SCR
• ZIP
The file name extension of the archived file is also followed by a dot ("."), 70 empty spaces, another dot, and any of the following extensions:
• EXE
• SCR
• PIF
The following are sample email messages sent by this worm:
It gathers target email addresses from the Temporary Internet files folder, Windows Address Book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.
This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.
Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine. It also terminates several processes.
This worm also downloads a file, which Trend Micro detects as TSPY_AGENT.H. This downloaded file then drops an adware Trend Micro detects as ADW_MEDTICKS.A.
For additional information about this threat, see:
Solution
Technical Details
Description created: May. 29, 2005 7:05:21 PM GMT -0800
Description updated: May. 30, 2005 1:09:36 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
