WORM MYTOB.MX

It has been observed that another variant of MYTOB worm known as MYTOB.MX (alias Win32.Mytob.mx) is spreading in the wild. This memory-resident mass-mailing worm propagates by sending a copy of itself as an attachment to an email message to addresses (random or harvested from infected computer), using its own Simple Mail Transfer Protocol (SMTP) engine. It propagates via e-mail and network shares.

After infecting a system the worm,

• Drops the file SYST.EXE (called as TROJ_MONURL.D) in the Windows system folder.
• Adds or changes the registry entries HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Debugger = "\dbg32.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\RunServices Debugger ="\dbg32.exe"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  \SharedAccess Start = "dword:00000004"
• The content of the email it sends contains subjects like DETECTED* ONLINE USER VIOLATION, Notice of account limitation or your password has been updated
• Attachments like "Random file name.zip","account-details.zip" or "new-password.zip"
• Message body may contain text such as "We have temporarily suspended your email account....See the details to reactivate your account" and
• Spoofs the From field with the familiar names like "accounts","administrator".
• This worm gathers target email addresses from files with the extensions such as adb, asp, dbx, htm, php, pl, tbb, wab
• Avoids sending email messages to certain addresses that contain substrings as Berkeley, google, hotmail
• This worm comes with backdoor and connects to an IRC channel and listens for commands from a remote malicious user.
• This worm is capable of transforming an affected system into a FTP server using random port allowing a remote malicious user to upload or download files without user's consent

Since the worm is spreading fast users are advised to update their Anti Virus software and apply latest patches to the OS and applications running on the system.

References

• http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
  VName=WORM_MYTOB.MX
• http://www.esafe.com/home/csrt/analysis.asp?virus_no=
  21654&cf=

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91 11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003