WORM_MYTOB.BI - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_MYTOB.BI

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Net-Worm.Win32.Mytob.bf (Kaspersky), W32.Mytob.CU@mm (Symantec), Worm/Mytob.ED (Avira), W32/Mytob-CP (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

To get a one glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

WORM_MYTOB.BI Behavior Diagram

Malware Overview

Similar to other MYTOB variants, this memory-resident worm propagates by sending a copy of itself as an attachment (file size is around 60,928 to 61,194 bytes) to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

This email message has the following details:

Subject: (any of the following)
{Random}
*DETECTED* Online User Violation
*WARNING* Your Email Account Will Be Closed
Account Alert
Email Account Suspension
Important Notification
Notice of account limitation
Notice: **Last Warning**
Security measures
Your Email Account is Suspended For Security Reasons

Message body: (any of the following)
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
Please read the attached document and follow it's instructions.
The original message has been included as an attachment.
We attached some important information regarding your account.
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

Attachment: (.ZIP file around 60,928 to 61,194 bytes in size, which contains a copy of this worm with any combination of the following file names and extension names)

File name:
{random}
account-details
document
email-doc
email-info
information
INFO
info-text
instructions

Extension:
DOC
HTM
TXT

The file name extension of the archived file is also followed by a dot ("."), 70 empty spaces, another dot, and any of the following extensions:
EXE
SCR
PIF

The email that it sends appear as:

It gathers target email addresses from the Temporary Internet files folder, Windows Address Book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

This worm has backdoor capabilities. It opens a random port, allowing a remote user to access and perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.

Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine. It also terminates several processes.

This worm also downloads a file, which Trend Micro detects as TSPY_AGENT.H, from a certain site. The downloaded file then installs an adware Trend Micro detects as ADW_MEDTICKS.A.

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 31, 2005 3:58:18 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.