Worm:W32/Mytob.A is a worm that has functionality similar to the MyDoom worm family functionality. This worm includes code to spread over a network by exploiting the known LSASS vulnerability.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More information on scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
In addition to propagating, Mytob.A is also able to function as an IRC bot.
The worm is a PE executable file 42512 bytes long, packed with FSG file compressor.
When run, the worm copies under %SYSTEM% directory using the name 'msnmsgr.exe' and creates a mutex named 'D66'.
It will then alters the registry entries to ensure that it gets started when a user logs on or the system is restarted:
- [HKCU\SYSTEM\CurrentControlSet\Control\Lsa] "MSN" = "msnmsgr.exe"
The worm tries to connect to an IRC channel at a predefined address using TCP port 6667. An attacker who knows channel password can instruct the created bot to execute the following actions:
- Request worm uptime
- Request worm version
- Shutdown worm
- Download and execute files
- Delete files
- Update worm
The worm spreads by sending its infected attachment to e-mail addresses found on an infected computer. E-mail addresses are harvested from Windows Address Book (WAB) and from files with the following extensions:
The worm avoids sending e-mails to e-mail addresses that contain any of the following substrings:
The e-mail message is composed from randomly chosen subject line, body text and additional parts. The worm has a selection of attachment names that it uses for its attachment. The subject of infected e-mails is selected from the following variants:
- Server Report
- Mail Transaction Failed
- Mail Delivery System
The attachment name is composed using the following predefined keywords:
The extension for the filename can be one of the following:
The worm spreads to remote computers using LSASS vulnerability. It contacts remote computers on TCP port 445, exploits the vulnerability and copies its file to a remote system.
Mytob.B is a minor variant of Mytob.A that includes functionality from the MyDoom family of e-mail worms and IRC-bots.