Upon execution, Worm_Mytob.CC drops a copy of itself in the Windows system folder. It modifies the registry to ensure its automatic execution at every Windows startup.
It propagates by sending a copy of itself as an attachment to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.
It gathers email addresses from the Temporary Internet folder as well as from an affected user's Windows address book (WAB). It also generates email addresses by a predefined list of names. The domain name that it appends is copied from previously-harvested email addresses.
It spoofs the From field of the email message that it sends by using any of the email addresses it gathered or generated.
This worm also takes advantage of the following Windows vulnerabilities to propagate:
RPC/DCOM vulnerability
Windows LSASS vulnerability
For more information about these vulnerabilities, please refer to the following Microsoft Web pages:
Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS04-011
This worm has backdoor capabilities, which enable it to connect to an Internet Relay Chat (IRC) server. Once a connection is established, it joins an IRC channel, where it listens for commands coming from a remote malicious user.
Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.
Technical details can be found at Trend Micro page.
4/20: Mytob-CC Worm Modifies Registry
