The Web    Google
4/20: Mytob-CC Worm Modifies Registry

4/20: Mytob-CC Worm Modifies Registry
April 20, 2005

Upon execution, Worm_Mytob.CC drops a copy of itself in the Windows system folder. It modifies the registry to ensure its automatic execution at every Windows startup.

It propagates by sending a copy of itself as an attachment to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.

It gathers email addresses from the Temporary Internet folder as well as from an affected user's Windows address book (WAB). It also generates email addresses by a predefined list of names. The domain name that it appends is copied from previously-harvested email addresses.

It spoofs the From field of the email message that it sends by using any of the email addresses it gathered or generated.

This worm also takes advantage of the following Windows vulnerabilities to propagate:

  • RPC/DCOM vulnerability
  • Windows LSASS vulnerability

    For more information about these vulnerabilities, please refer to the following Microsoft Web pages:

  • Microsoft Security Bulletin MS03-026
  • Microsoft Security Bulletin MS04-011

    This worm has backdoor capabilities, which enable it to connect to an Internet Relay Chat (IRC) server. Once a connection is established, it joins an IRC channel, where it listens for commands coming from a remote malicious user.

    Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

    Technical details can be found at Trend Micro page.

  • 1/27: Rbot-AIX Worm Has Backdoor Functions
  • Look Out For 3-Headed Plexus Worm
  • Deceptive Duo Hacker Changes Plea
  • 11/22: Swizzor-BQ Trojan Downloads, Runs Files
  • 5/13: Mytob-CA is a Worm and a Trojan
  • 11/30: SymbOS/Skulls-B is a Trojan
  • 2/3: Trojan.Comxt-B Downloads Remote Files
  • Hitachi offers up centralized application security platform
  • 5/6: Bakaver.A Infects Portable Drives
  • 4/27: Mytob-CY Worm Arrives as Email Attachment
  • 3/8: Kelvir-D an IM Worm
  • Compare Security Camera Products