The Web    Google
4/5: Mytob-W Worm Takes Remote Orders

4/5: Mytob-W Worm Takes Remote Orders
April 5, 2005

Some security vendors have issued alerts for Mytob.W, a worm with backdoor characteristics. It connects to a server and accepts remote control commands that are run in the affected computed.

In addition to this, Mytob.W prevents the user from accessing certain web pages belonging to antivirus companies.

Mytob.W uses different means to spread:

  • It spreads via e-mail, in a message with variable characteristics.
  • It exploits the LSASS vulnerability to spread across the Internet.
  • It attempts to access network shared resources using passwords that are typical or easy to guess.

    Antivirus software vendor Panda Software is recommending users of a Windows XP/2000 computer to download the security patch for the LSASS vulnerability from the Microsoft website.

    Technical details can be found at Panda Software page.

    According to Trend Micro, which also issued an alert, Like other WORM_MYTOB variants, Worm_Mytob.W propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

    The email it sends out has the following details:

    Subject: (any of the following)

  • Error
  • Good day
  • Hello
  • Mail Delivery System
  • Mail Transaction Failed
  • Server Report
  • Status

    Message body: (any of the following)

  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The original message was included as an attachment.
  • Here are your banks documents

    Attachment: (any of the following file names)

  • body
  • data
  • doc
  • document
  • file
  • message
  • readme
  • test
  • text

    (with any of the following extensions)

  • BAT
  • DOC
  • EXE
  • HTM
  • PIF
  • SCR
  • TMP
  • TXT
  • ZIP

    It gathers target email addresses from the Temporary Internet files folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

    This worm also takes advantage of the following Windows vulnerabilities to propagate:

    LSASS vulnerability
    RPC/DCOM vulnerability

    For more information about these vulnerabilities, please refer to the following Microsoft Web pages:

    Microsoft Security Bulletin MS03-026
    Microsoft Security Bulletin MS04-011

    This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security. Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

    It also drops a component file, which is responsible for creating copies of this worm. The said component is detected by Trend Micro as WORM_MYTOB.J.

    Technical details can be found at this Trend Micro page.

  • 2/7: Agobot-PI Worm Changes Data
  • 5/2: Doyorg Trojan Arrives Via AOL IM
  • More Fortification For Code
  • 7/8: BackDoor-BDJ Written in MSVC
  • 5/2: Oscarbot Virus Spreads a Hyperlink
  • Microsoft Defends Security Approaches
  • 11/23: BackDoor-CLK Trojan Copies Itself
  • Fed Security Systems Receive Failing Grades
  • Intellitactics Upgrades Security Manager Tool
  • Gates Sends Letter on Spam to Congress
  • Sklyarov Takes Stand as ElcomSoft Begins Defense
  • Security Camera Price