Win32.Mytob.DM, Win32.Mytob.DO, Net-Worm.Win32.Mytob.bb, bf, W32/Mytob.bh
Category: Computer Worm
North and South America, Asia, Europe, Austalia, Africa
03 Jun 2005
This worm is part of the Mytob family of mass mailing worms. This family of worms has backdoor capabilities and they use their own simple mail transfer protocol (SMTP) engine for sending infected emails to email addresses it has collected from the victim machine. The backdoor can also be used by the worm’s author for sending instructions.
W32.Mytob!gen Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Mytob!gen from your computer.
More details about W32.Mytob!gen
This malware will create several mutexes so that only a single instance of the worm is running in the victim machine at a given time. The worm then copies its code as a file with an .exe file extension. The W32.Mytob!gen worm will also add one of its predetermined values to several registry subkeys so that it can launch each time the operating system is started. It is critical to note that this worm has the ability to recreate its predefined registry entries if they are removed from the victim machine. This security risk collects email addresses from files with the extensions SHT, HTM, JSP, XML, CGI, ASP, PHP, TBB, DBX, PL, ADB and WAB. The worm however will not send its code to addresses that have security related strings, such as those with the name of antivirus products on them. This malware may add some predetermined prefixes to domain names for finding SMTP servers.
The W32.Mytob!gen worm then attempts to open a backdoor in the compromised machine by establishing a connection to an IRC (Internet Relay Chat) server on the 4512 TCP port. It will then wait for instructions that will permit its remote author to carry out some malicious tasks. These tasks include acquiring the worm’s updated version, downloading and launching files and terminating, updating or removing the worm. This worm can likewise block access to some websites that it deems as security related by appending a text to the Windows Hosts file. It will try to terminate some security related process as well.