Like other WORM_MYTOB variants, Worm_Mytob-AG propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.
It gathers target email addresses from the Temporary Internet files folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.
This worm also takes advantage of the following Windows vulnerabilities to propagate:
RPC/DCOM vulnerability
LSASS vulnerability
For more information about these vulnerabilities, please refer to the following Microsoft Web pages:
Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS04-011
This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.
Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.
It also drops a component file, which is responsible for creating copies of this worm. The said component is detected by Trend Micro as WORM_MYTOB.J.
Technical details can be found at Trend Micro page.
4/11: Mytob-AG Sends Copy of Itself
