WORM_MYTOB.EQ - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_MYTOB.EQ

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Net-Worm.Win32.Mytob.as (Kaspersky), W32.Mytob.CE@mm (Symantec), Worm/Mytob.DD (Avira), W32/Mytob-AY (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

This memory-resident worm propagates by sending a copy of itself as an email attachment, which it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine.

The email it sends out has the following details:

Subject: (any of the following)
� *IMPORTANT* Please Validate Your Email Account
� *IMPORTANT* Your Account Has Been Locked
� Email Account Suspension
� Notice***Your Email Account will be Suspended***
� Notice: **Last Warning**
� Security Measures
� Your Email Account is Access Restricted
� Your Email Account is suspended for security reasons
� {Random Characters}

Message body: (any of the following)
� Account Information Are Attached!
� Follow the instructions in the attachment.
� Once you have completed the form in the attached file, your account records will not be interrupted and will continue as normal.
� please look at attached document.
� To safeguard your email account from possible termination, please see the attached file.
� To unblock your email account access, please see the attachment.
� We have suspended some of your email services, to resolve the problem you should read the attached document.
� {Random Characters}

Attachment: (any of the following file names)
� document_full
� email-doc
� email-info
� email-text
� IMPORTANT
� INFO
� info-text
� information
� your_details
� {random}

(with any of the following extensions)
� .BAT
� .CMD
� .EXE
� .PIF
� .SCR
� .ZIP

It gathers target email addresses from the Temporary Internet folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.

Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 16, 2005 8:17:56 AM GMT -0800
Description updated: May. 16, 2005 8:18:10 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.