The Web    Google
4/11: Mytob-AG Sends Copy of Itself

4/11: Mytob-AG Sends Copy of Itself
April 11, 2005

Like other WORM_MYTOB variants, Worm_Mytob-AG propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

It gathers target email addresses from the Temporary Internet files folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

This worm also takes advantage of the following Windows vulnerabilities to propagate:

RPC/DCOM vulnerability
LSASS vulnerability

For more information about these vulnerabilities, please refer to the following Microsoft Web pages:

Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS04-011

This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.

Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

It also drops a component file, which is responsible for creating copies of this worm. The said component is detected by Trend Micro as WORM_MYTOB.J.

Technical details can be found at Trend Micro page.

  • 11/11: Masteq-H Trojan Runs Silently
  • Enterprise IM Spurs Privacy Concerns
  • 5/17: Mytob-CH a Mass-Mailing Worm
  • 7/29: Lovgate-AK a Mass-Mailing Worm
  • Author of Zafi-B Worm Trailed to Hungary
  • 7/12 Atak.A Worm Low Threat but High Traffic
  • Fighting to Keep Smut-Spam in a Brown Wrapper
  • 7/29: Lovgate-AK a Mass-Mailing Worm
  • 3/31: MyDoom-AI Worm Uses Email
  • Secure Messaging Vendor Offers Management Appliance
  • Virus Alert Activity Intensifies
  • Security Camera Industry Information