TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_MYTOB.ER
Overview
Solution

Malware type: Worm

Aliases: Net-Worm.Win32.Mytob.au (Kaspersky), W32.Mytob.CE@mm (Symantec), Worm/Mytob.JQ (Avira), W32/Mytob-CJ (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

WORM_MYTOB.ER Behavior Diagram

Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder as the file SKY.EXE.

It propagates by sending a copy of itself as an attachment to email messages, which it then sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.

The email message has the following details:

Subject: (any of the following)
·*IMPORTANT* Please Validate Your Email Account
·*WARNING* Your Email Account Will Be Closed
·{random characters}
·Email Account Suspension
·Notice: **Last Warning**
·Notice:***Your email account will be suspended***
·Security measures
·SUSPENDED ACCOUNT
·Your Email Account has been Blocked
·Your Email Account is Suspended For Security Reasons

Message body: (any of the following)
·{random characters}
·Account Information Are Attached!
·Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
·To safeguard your email account from possible termination, Please follow the instructions in the attached file.
·We have suspended some of your email services, to resolve the problem you should read the attached document.
·We have temporarily limited access to sensitive account features. Please see the attached document for more information.

Attachment: (any of the following file names)
·{random}
·account-details
·document
·email-doc
·email-info
·information
·info-text
·instructions

with any of the following extensions:
·BAT
·CMD
·EXE
·PIF
·SCR
·ZIP

This worm has backdoor capabilities, which enable it to connect to the Internet Relay Chat (IRC) server irc.blackcarder.net. Once a connection is established, it joins the IRC channel #skyline, where it listens for commands coming from a remote malicious user.

It terminates processes, which are related to antivirus and security applications. It also prevents access to a list of antivirus sites.

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 16, 2005 7:48:37 PM GMT -0800
Description updated: May. 20, 2005 9:25:07 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.