Worm MYTOB.CU

It has been observed that another variant of MYTOB worm known as MYTOB.CU is spreading in the wild rapidly. It is a mass mailing, memory resident worm which propagates by sending a copy of itself as an attachment to the email message, using its own Simple Mail Transfer Protocol (SMTP) engine. It also takes advantage of Microsoft windows LSASS vulnerability to propagate itself. The worm searches for email addresses on affected system. It also generates email addresses by using list of names and any of domain names from previously gathered addresses. The worm also has backdoor capabilities, it listens to IRC server irc.blackcarder.net on TCP Port 4512 and allowing remote user to take complete control of affected system. It also disables antivirus and security related processes and modifies hosts file to prevent users from accessing antivirus and security related websites.

For further details and instructions regarding disinfection refer to following URLs:

• http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
  VName=WORM_MYTOB.CU
• http://vil.nai.com/vil/content/v_134015.htm
• http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=43195
• http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
  VName=WORM_MYTOB.AR
• http://www.sarc.com/avcenter/venc/data/w32.mytob.cu@mm.html
• http://secunia.com/virus_information/18440/mytob.cu/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91 11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003