WORM_MYTOB.EG - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_MYTOB.EG

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Net-Worm.Win32.Mytob.au (Kaspersky), W32/Mytob-AU (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

As of May 9, 2005, 5:57 PM (PDT), TrendLabs has declared a medium risk alert to control the spread of this worm.

To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

WORM_MYTOB.EG Behavior Diagram

This memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine.

The email it sends out has the following details:

Subject: (any of the following)
- *IMPORTANT* Please Validate Your Email Account
- *IMPORTANT* Your Account Has Been Locked
- {random}
- Email Account Suspension
- Notice: **Last Warning**
- Notice:***Your email account will be suspended***
- Security measures
- Your email account access is restricted
- Your Email Account is Suspended For Security Reasons

Message body: (any of the following)
- Account Information Are Attached!
- Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
- please look at attached document.
- To safeguard your email account from possible termination, please see the attached file.
- To unblock your email account acces, please see the attachement.
- We have suspended some of your email services, to resolve the problem you should read the attached document.
- {random}

Attachment: (any of the following file names)
- {random}
- document_full
- email-doc
- email-info
- email-text
- IMPORTANT
- information
- info-text
- your_details

(any of the following extensions)
- BAT
- CMD
- EXE
- PIF
- SCR
- ZIP

It gathers target email addresses from the Temporary Internet Files folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.

Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 9, 2005 12:41:49 PM GMT -0800
Description updated: May. 10, 2005 3:28:59 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.