Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Mytob


Destructivity MEDIUM MEDIUM
Payload Disables security software, includes backdoor capability.
Detection files published 27 Feb 2005 03:00:00
Description created 08 Jun 2005 05:52:00
Description updated 08 Jun 2005 05:52:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



Email: Code lifted from the Mydoom-series of worms. Subject line, body text and attachment names are variable, though attachment names will often have double extensions. The attachment has a probabililty of being a zip archive with the real worm inside. The worm looks inside files found on the local computer for email addresses to use, and can use these both as FROM and TO addresses - i.e. the one you receive mail from does not have to be the one who is infected.
Security vulnerability: Code taken from SDBots. The worm attempts to break the security of other networked computers by sending specially crafted network messages to these. The vulnerability used is mainly the LSASS exploit : This triggers a download of the worm to the affected computer.
We expect more spread functionality to be added to these worms as time goes by.

Payload Details

Many Mytobs include functionality to disable various AV and firewall products. In addition, they will often modify the local HOSTS file, so that internet addresses of known security providers are redirected and thus become unavailable.
It is common that these worms connect to an Internet Relay Chat (IRC) server and join particular chat channels there. Via these chatrooms the worm author can issue commands to the worm, and to a large extent remote control the infected computer.




The Mytob worms have usually been caught by the proactive Lumension Sandbox technology without the need for updates. Exact detection for the first worm in this series, Mytob.A, was added Feb 28th 2005, but it was in reality already covered.

Last Updated: 12 Nov 2015 11:06:12