|
Description:
Similar to other WORM_MYTOB variants, this memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.
The email it sends out has the following details:
Subject:(any of the following)
• *DETECTED* Online User Violation
• Email Account Suspension
• Important Notification
• Members Support
• Notice of account limitation
• Security measures
• Warning Message: Your services near to be closed.
• You have successfully updated your password
• Your Account is Suspended For Security Reasons
• Your Account is Suspended
• Your new account password is approved
• Your password has been successfully updated
• Your password has been updated
Message body:
This is a multi-part message in MIME format.
Attachment: (any of the following file names)
• accepted-password
• account-details
• account-info
• account-password
• account-report
• approved-password
• document
• email-details
• email-password
• important-details
• new-password
• password
• readme
• updated-password
(with any of the following as 1st extension)
• DOC
• HTM
• TXT
(with any of the following as 2nd extension)
• EXE
• PIF
• SCR
This worm sends copies of itself to target email addresses it has gathered from the Windows Address Book (WAB). It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.
This worm has backdoor capabilities. It opens varied ports, which allows a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.
It also prevents users from acessing several several Web sites by modifying the HOSTS file.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jul. 8, 2005 8:03:11 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
