The Web    Google
4/5: Mytob-Y Worm Copies Itself to Email

4/5: Mytob-Y Worm Copies Itself to Email
April 5, 2005

Like other WORM_MYTOB variants, Worm_Mytob.Y propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

The email it sends out has the following details:

Subject: (any of the following)

  • Error
  • hello
  • Mail Delivery System
  • Mail Transaction Failed
  • read it immediately
  • Server Report
  • Status
  • thanks!

    Message body: (any of the following)

  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The original message was included as an attachment.
  • I have received your document. The corrected document is attached.

    Attachment: (any of the following file names)

  • document
  • message
  • readme

    (with any of the following extensions)

  • BAT
  • CMD
  • EXE
  • PIF
  • SCR
  • ZIP

    It gathers target email addresses from the Temporary Internet files folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

    This worm also takes advantage of the following Windows vulnerabilities to propagate:

  • LSASS vulnerability
  • RPC/DCOM vulnerability

    For more information about these vulnerabilities, please refer to the following Microsoft Web pages:

    Microsoft Security Bulletin MS03-026
    Microsoft Security Bulletin MS04-011

    This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.

    Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

    It also drops a component file, which is responsible for creating copies of this worm. The said component is detected by Trend Micro as WORM_MYTOB.Q.

    Technical details can be found at Trend Micro page.

  • Understanding and Preventing DDoS Attacks
  • PentaSafe Unveils Integrated Security Manager
  • Teen Held For Allegedly Swiping Code
  • Symantec, Veritas Leaders Tout Merger
  • Making Outlook Less Insecure
  • Meta Group Slams Wireless LAN Suppliers on Security
  • 5/11: Ifbo-A Worm Exploits LSASS Flaw
  • 10/20: Spybot-DF an IRC Backdoor Worm
  • Simplifying SCM with Appliances
  • House Passes Anti-Spyware Bill
  • 6/10: Agobot-JT Allows Unauthorized Access
  • Security Camera News