WORM_MYTOB.MX - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_MYTOB.MX

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Net-Worm.Win32.Mytob.do (Kaspersky), W32/Mytob.gen@MM (McAfee), W32.Mytob@mm (Symantec), Worm/Mytob.LU (Avira), W32/Mytob-FW (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, 2000, XP, Advanced Server 2000, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Infection Channel 1 : Propagates via email

Infection Channel 2 : Propagates via network shares

Description:

As of November 24, 2005 at 2:34 am (Pacific Standard Time, GMT -8:00), TrendLabs has declared a Medium risk alert in order to control the spread of WORM_MYTOB.MX. TrendLabs has received several infection reports indicating that this malware is currently spreading in Eastern Europe, Germany, France, Spain, and Austria.

To get a one glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

WORM_MYTOB.MX Behavior Diagram

Malware Overview

This memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send the said email message even without using other mailing applications, such as Microsoft Outlook.

Shown below is an example of the email it sends out:

sample email

Details of the email it sends out can be viewed in the Technical Details section.

This worm gathers target email addresses from the Temporary Internet files folder, as well as from files with certain extension names. Moreover, this worm obtains target recipients from the user's Windows Address Book (WAB). Users who receive the malicious email may think that it comes from a known source. Thus, they confidently run the attachment.

It also propagates via network shares. It searches for available shared folders within the network and attempts to drop copies of itself into these shares. It also generates random IP addresses and attempts to drop copies of itself into the said addresses' default shares. It uses the account details of the currently logged user to gain access to password-protected shares.

This worm has backdoor capabilities. Using varying ports, it connects to an Internet Relay Chat (IRC) server and joins a specific IRC channel, where it listens for commands from a remote malicious user. The said routine provides remote users virtual control over affected systems, thus compromising system security.

It can also set up a File Transfer Protocol (FTP) server using a random port. Once the affected system is transformed into an FTP server, it can be used by the remote user to download and upload files without the user's knowledge or consent.

Moreover, this worm drops another Trojan detected by Trend Micro as TROJ_MONURL.D. Thus, a system infected with WORM_MYTOB.MX may also be infected with yet another malicious program, causing even more harm on the system.

For additional information about this threat, see:
Solution
Technical Details

Description created: Nov. 24, 2005 12:07:36 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.