The Web    Google
4/20: Mytob-CC Worm Modifies Registry

4/20: Mytob-CC Worm Modifies Registry
April 20, 2005

Upon execution, Worm_Mytob.CC drops a copy of itself in the Windows system folder. It modifies the registry to ensure its automatic execution at every Windows startup.

It propagates by sending a copy of itself as an attachment to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.

It gathers email addresses from the Temporary Internet folder as well as from an affected user's Windows address book (WAB). It also generates email addresses by a predefined list of names. The domain name that it appends is copied from previously-harvested email addresses.

It spoofs the From field of the email message that it sends by using any of the email addresses it gathered or generated.

This worm also takes advantage of the following Windows vulnerabilities to propagate:

  • RPC/DCOM vulnerability
  • Windows LSASS vulnerability

    For more information about these vulnerabilities, please refer to the following Microsoft Web pages:

  • Microsoft Security Bulletin MS03-026
  • Microsoft Security Bulletin MS04-011

    This worm has backdoor capabilities, which enable it to connect to an Internet Relay Chat (IRC) server. Once a connection is established, it joins an IRC channel, where it listens for commands coming from a remote malicious user.

    Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

    Technical details can be found at Trend Micro page.

  • The Backup Conundrum: More Data in Less Time, Part 2
  • 'Critical' Windows Hijack Flaw Reported
  • 3/28: Mytob-N Worm,Trojan Hits IRC Users
  • A Jump on Security Advisories (For a Fee)
  • Protecting Data While Protecting Your Job
  • Critical Flaws Flagged in Mozilla, Thunderbird
  • 6/14: Sober-H Emails Messages in German
  • IRS Giving Goods Away
  • 1/18: Rbot-TS Worm Spreads to Weak Shares
  • 9/3: Worm Ends Antivirus Processes
  • 3/16: Trojan.Alpiok Modifies Hosts File
  • Discussion on Security Camera