Threat Description


Category: Malware
Platform: W32


The is a typical variant of Mytob. It combines the functionality of IRC bot and mass-mailing worm.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Installation to system

When run, the worm copies itself as 'dbg32.exe' to Windows System folder and creates the following registry startup keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]  "Debugger" = "dbg32.exe"   

The worm also modifies the following key value:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess  "Start" = dword:00000004   

The worm drops and executes a file named 'syst.exe' to Windows System folder. This file is a trojan downloader detected as 'Trojan-Downloader.Win32.Monurl.gen'.

Spreading in e-mails

To get the victims' e-mail addresses the worm reads user's Address Book and also scans files with the following extensions on all hard disks and RAM drives:

txt  htm  sht  jsp  cgi  xml  php  asp  dbx  tbb  adb  wab   

The worm ignores e-mail addresses with any of the following substrings:

abuse  accoun  acketst  admin  anyone  arin.  avp  be_loyal:  berkeley  borlan  bsd  bugs  certific  example  fcnz  fido  foo.  fsf.  gnu  google  .gov  gov.  hotmail  iana  icrosof  icrosoft  ietf  info  inpris  isc.o  isi.e  kernel  linux  listserv  math  .mil  mit.e  mozilla  msn.  mydomai  nobody  nodomai  noone  nothing  ntivi  panda  pgp  postmaster  rating  rfc-ed  ripe.  root  ruslis  samples  secur  sendmail  site  someone  sopho  spm  support  syma  tanford.e  unix  usenet  utgers.ed  webmaster  www  you  your  contact  soft  somebody  privacy  service  help  not  submit  feste  gold-certs  the.bat  page  support  administrator  mail  service  admin  info  register  webmaster   

The worm sends e-mail messages with different subjects. Here's the list of subject texts that the worm uses:

Your password has been updated  Your password has been successfully updated  You have successfully updated your password  Your new account password is approved  Your Account is Suspended  *DETECTED* Online User Violation  Your Account is Suspended For Security Reasons  Warning Message: Your services near to be closed.  Important Notification  Members Support  Security measures  Email Account Suspension  Notice of account limitation   

The body text of the e-mail messages is one of the following:

Dear user , You have successfully updated the password of your  account. If you did not authorize this change or if you need assistance with your  account, please contact  customer service at:  Thank you for using !  The  Support Team   +++ Attachment: No Virus (Clean)     +++  Antivirus - www.  Dear user , It has come to our attention that your  User Profile ( x ) records are  out of date. For further details see the attached document.  Thank you for using !  The  Support Team  +++ Attachment: No Virus (Clean)    +++  Antivirus - www.  Dear  Member,  We have temporarily suspended your email account .  This might be due to either of the following reasons:  1. A recent change in your personal information (i.e. change of address).  2. Submiting invalid information during the initial sign up process.  3. An innability to accurately verify your selected option of subscription due  to an internal error within our processors.  See the details to reactivate your  account.  Sincerely,The  Support Team  +++ Attachment: No Virus (Clean)    +++  Antivirus - www.  Dear  Member,  Your e-mail account was used to send a huge amount of unsolicited spam messages  during the recent week. If you could please take 5-10 minutes out of your  online experience and confirm the attached document so you will not run into  any future problems with the online service.  If you choose to ignore our request, you leave us no choice but to cancel your  membership.  Virtually yours,  The  Support Team  +++ Attachment: No Virus found    +++  Antivirus - www.   

Where <user> is the username and <domain> is the domain part of the e-mail recipient.

The attachement filename is usually a ZIP file with one of following names:

updated-password  email-password  new-password  password  approved-password  account-password  accepted-password  important-details  account-details  email-details  account-info  document  readme  account-report   

The attached filename consists of one of the above keywords followed by extension 'doc', 'htm' or 'txt', a random amount of space characters and the final extension that can be one the following:

.pif  .scr  .exe  .cmd  .bat   

For example, the filename can be 'account-report.txt<multiple spaces>.scr'.

IRC-controlled Backdoor

When the worm is active it tries to connect to the following IRC server and channel:  #skp   

If the connection is successful, the worm creates a bot in that channel. A hacker can send commands to a bot in order to control an infected computer. A hacker can do any of the following:

  • change IRC server
  • change channel mode
  • join specified channel
  • change bot's nick (randomly generated)
  • kick a user out of a channel
  • ping a user/server
  • set channel topic
  • exit from a channel
  • quit from IRC
  • get information about an infected system
  • download and run a file (update worm's file)
  • remove worm from a computer
  • send raw command
  • start mass-mailing
  • stop mass-mailing


F-Secure Anti-Virus detects this worm with the following updates:

Detection Type: PC
Database: 2005-11-24_04

Technical Details:Jarkko Turkulainen; Nov 25th, 2005


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More