The Web    Google
4/5: Mytob-Y Worm Copies Itself to Email

4/5: Mytob-Y Worm Copies Itself to Email
April 5, 2005

Like other WORM_MYTOB variants, Worm_Mytob.Y propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

The email it sends out has the following details:

Subject: (any of the following)

  • Error
  • hello
  • Mail Delivery System
  • Mail Transaction Failed
  • read it immediately
  • Server Report
  • Status
  • thanks!

    Message body: (any of the following)

  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The original message was included as an attachment.
  • I have received your document. The corrected document is attached.

    Attachment: (any of the following file names)

  • document
  • message
  • readme

    (with any of the following extensions)

  • BAT
  • CMD
  • EXE
  • PIF
  • SCR
  • ZIP

    It gathers target email addresses from the Temporary Internet files folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

    This worm also takes advantage of the following Windows vulnerabilities to propagate:

  • LSASS vulnerability
  • RPC/DCOM vulnerability

    For more information about these vulnerabilities, please refer to the following Microsoft Web pages:

    Microsoft Security Bulletin MS03-026
    Microsoft Security Bulletin MS04-011

    This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.

    Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

    It also drops a component file, which is responsible for creating copies of this worm. The said component is detected by Trend Micro as WORM_MYTOB.Q.

    Technical details can be found at Trend Micro page.

  • Gates Sends Letter on Spam to Congress
  • Microsoft Defends Security Approaches
  • Spam Foes Worry New FTC Rule Not Enough
  • The Sober Virus Returns
  • 10/20: Spybot-DF an IRC Backdoor Worm
  • 2/21: MyDoom-BE Worm Harvests Addresses
  • How hacking has entered the age of mass production.
  • 6/28: Rbot-CA Allows Remote Access
  • 5/17: Flush-D Trojan Modifies DNS Server
  • 11/23: Backdoor.Sdbot.AH a Network-Aware Worm
  • 1/31: Unfunner-A Worm Moves Via MSN Messenger
  • Security Camera Related Information