Some security vendors have issued alerts for Mytob.W, a worm with backdoor characteristics. It connects to a server and accepts remote control commands that are run in the affected computed.
In addition to this, Mytob.W prevents the user from accessing certain web pages belonging to antivirus companies.
Mytob.W uses different means to spread:
It spreads via e-mail, in a message with variable characteristics.
It exploits the LSASS vulnerability to spread across the Internet.
It attempts to access network shared resources using passwords that are typical or easy to guess.
Antivirus software vendor Panda Software is recommending users of a Windows XP/2000 computer to download the security patch for the LSASS vulnerability from the Microsoft website.
Technical details can be found at Panda Software page.
According to Trend Micro, which also issued an alert, Like other WORM_MYTOB variants, Worm_Mytob.W propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.
The email it sends out has the following details:
Subject: (any of the following)
Error
Good day
Hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Message body: (any of the following)
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents
Attachment: (any of the following file names)
body
data
doc
document
file
message
readme
test
text
(with any of the following extensions)
BAT
DOC
EXE
HTM
PIF
SCR
TMP
TXT
ZIP
It gathers target email addresses from the Temporary Internet files folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.
This worm also takes advantage of the following Windows vulnerabilities to propagate:
LSASS vulnerability
RPC/DCOM vulnerability
For more information about these vulnerabilities, please refer to the following Microsoft Web pages:
Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS04-011
This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security. Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.
It also drops a component file, which is responsible for creating copies of this worm. The said component is detected by Trend Micro as WORM_MYTOB.J.
Technical details can be found at this Trend Micro page.
4/5: Mytob-W Worm Takes Remote Orders
