WORM_MYTOB.R - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_MYTOB.R

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Net-Worm.Win32.Mytob.k (Kaspersky), W32/Mytob-G (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

Like other WORM_MYTOB variants, this memory-resident worm propagates via network shares by dropping copies of itself into any available shared folders it finds. It also generates random IP addresses and attempts to drop copies of itself into default shares of the said addresses.

It also propagates by sending a copy of itself as attachment to an email message, which it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine.

The email it sends out has the following details:

Subject: (any of the following)
� Error
� Good day
� hello
� Mail Delivery System
� Mail Transaction Failed
� Server Report
� Status

Message body: (any of the following)
� Here are your banks documents.
� Mail transaction failed. Partial message is available.
� The message contains Unicode characters and has been sent as a binary attachment.
� The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
� The original message was included as an attachment.

Attachment: (any of the following file names)
� body
� data
� doc
� document
� file
� message
� readme
� test
� text

(with any of the following extensions)
� BAT
� DOC
� EXE
� HTM
� PIF
� SCR
� TMP
� TXT
� ZIP

It gathers target email addresses from the Temporary Internet folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.

Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

It also drops a component file, which is responsible for creating copies of this worm. The said component is detected by Trend Micro as WORM_MYTOB.J.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 28, 2005 8:56:39 AM GMT -0800
Description updated: Mar. 28, 2005 8:58:31 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.