WORM_MYTOB.C - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_MYTOB.C

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Net-Worm.Win32.Mytob.ba (Kaspersky), W32.Mydoom.BU@mm (Symantec), Worm/Mytob.DZ (Avira), W32/Mytob-CN (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: Yes

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

This worm propagates via network shares. It searches for available network shares and attempts to drop copies into these shares. It also generates random IP addresses and attempts to drop copies of itself into default shares of taraget addresses.

It also propagates via email. It sends copies of itself as attachment of email messages that it sends to target addresses. It gathers target email addresses from the Temporary Internet folder and from files with certain file names extensions. It may also generate email addresses by using a list of names and any of the domain names of the previously harvested email addresses.

Using its own Simple Mail Transfer Protocol (SMTP) engine, it then sends email messages with the following details via the default SMTP server:

Subject: (any of the following)
�Error
�Hello
�hi
�Mail Delivery System
�Mail Transaction Failed
�Server Report
�Status

Message body: (any of the following)
�Mail transaction failed. Partial message is available.
�test
�The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
�The message contains Unicode characters and has been sent as a binary attachment.

Attachment: (any of the following)
�body
�data
�document
�file
�message
�readme
�test

(with any of the following file name extensions)
�bat
�cmd
�exe
�scr
�pif

It is known to compress the attachment using ZIP compression when available.

This worm has backdoor capabilities. It connects to the Internet Relay Chat (IRC) server irc.blackcarder.net and joins a specific IRC channel, where it listens for commands coming from a remote malicious user. It executes these commands locally on an affected system, proving the remote user virtual control over the system.

It also sets up an FTP server using a random port.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 2, 2005 1:25:25 AM GMT -0800
Description updated: Mar. 3, 2005 8:47:46 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.