TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_MYTOB.JP
Overview
Solution

Malware type: Worm

Aliases: Backdoor.Win32.IRCBot.gen (Kaspersky), W32/Mytob.gen@MM (McAfee), W32.Mytob!gen (Symantec), Worm/Mytob.125440 (Avira), Mal/Packer (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: Yes

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Infection Channel 1 : Propagates via email

Infection Channel 2 : Propagates via software vulnerabilities

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_MYTOB.JP Behavior Diagram

Malware Overview

This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since its email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.

It gathers target email addresses from the Temporary Internet files folder and the user's Windows Address Book (WAB). It also gathers email addresses from files using certain extension names.

The email message it sends out has the following details:

Subject: (any of the following)
• Error
• Good day
• hello
• Mail Delivery System
• Mail Transaction Failed
• Server Report
• Status

Message body: (any of the following)
• Here are your banks documents.
• Mail transaction failed. Partial message is available.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• The original message was included as an attachment.

Attachment: (any of the following)
• Body
• Data
• Doc
• Document
• File
• Message
• Readme
• Text

(with any of the following extensions)
• BAT
• CMD
• EXE
• PIF
• SCR
• ZIP

This worm also takes advantage of a certain Windows vulnerability to propagate. For more information about this vulnerability, please refer to the following Microsoft Web page:

Using random TCP ports, this worm connects to the Internet Relay Chat (IRC) server, fuck.randz.info. Once a connection is established, it joins the IRC channel, #omega, where it listens for certain commands from a remote malicious user. This routine compromises system security and opens the affected machine to further attacks.

Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

For additional information about this threat, see:
Solution
Technical Details

Description created: Oct. 15, 2006 11:26:10 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.