Mytob.DG AKA Mytob-CV Worm
Date discovered: 5th June 2005
How it spreads
Mytob.DG is a mass-mailing worm with back door capabilities that uses its own SMTP mail engine to send itself to addresses it gathers from infected computers.
Mytob.DG affects Windows 95, NT, 98, ME, 2000, Windows Server 2003, Windows XP.
What it does
* Mytob.DG copies itself as \System\We Love Lien Van de Kelder.exe
* Alters the Windows registry.
* Harvests email addresses from files on the infected computer.
* Uses its own SMTP engine to send itself to the email addresses that it finds. The From: field varies and may be spoofed. In some cases the infected email may appear to come from an official looking email address like
webmaster@xtra.co.nz and
support@xtra.co.nz.The Subject: field is one of the following:
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Security measures
Email Account Suspension
Notice of account limitation
[random]
* The message body is one of the following:
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
The original message has been included as an attachment.
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
We attached some important information regarding your account.
Please read the attached document and follow it's instructions.
* The attachment name is one of the following:
email-info
email-doc
information
account-details
document
INFO
instructions
info-text
information
[random]
with one of the following as an extension:
.pif
.scr
.exe
.cmd
.bat
.zip
* Opens a back door by connecting to the IRC server irc.blackcarder.net on TCP port 4512. The worm then listens for commands from remote hackers.
* Blocks access to security-related Web sites by altering the hosts file.
* Attempts to shut down running Windows processes and security related software.
How to protect yourself:
You can find detailed removal advice and removal tools from the following Website.
* Symantec Web site
There are several known variants of MyTob, the best way to protect yourself is to Update your Anti Virus software and run a complete system scan. Also check that your system is patched to the latest Windows version by running Windows Update and that you are running a firewall.
Bookmarks