Like other Mytob worm variants, Worm_Mytob.CY propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.
It gathers target email addresses from the Temporary Internet files folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.
This worm also takes advantage of certain Windows vulnerabilities to propagate. For more information about these vulnerabilities, please refer to the following Microsoft Web pages:
Microsoft Security Bulletin MS04-011
Microsoft Security Bulletin MS03-026
This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.
Moreover, it prevents users from acessing several antivirus and security Web sites by redirecting the connection to the local machine.
It also drops a component file, which is responsible for creating copies of this worm. The said component is detected by Trend Micro as WORM_MYTOB.J.
More information can be found at Trend Micro page.
4/27: Mytob-CY Worm Arrives as Email Attachment
