The Web    Google
4/8: Mytob-AB Worm Comes as Attachment

4/8: Mytob-AB Worm Comes as Attachment
April 8, 2005

Worm_Mytob.AB, like other WORM_MYTOB variants, propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. The email it sends out has the following details:

Subject: (any of the following)

  • (random)
  • Error
  • Good day
  • hello
  • Mail Delivery System
  • Mail Transaction Failed
  • Server Report
  • Status

    Message body: (any of the following)

  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The original message was included as an attachment.
  • I have received your document. The corrected document is attached.

    Attachment: (any of the following file names)

  • (random)
  • body
  • data
  • doc
  • document
  • file
  • message
  • readme
  • test
  • text

    (with any of the following extensions)

  • BAT
  • CMD
  • EXE
  • PIF
  • SCR
  • ZIP

    It gathers target email addresses from the Temporary Internet files folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

    This worm also takes advantage of the following Windows vulnerabilities to propagate:

  • RPC/DCOM vulnerability
  • LSASS vulnerability

    For more information about these vulnerabilities, please refer to the following Microsoft Web pages:

    Microsoft Security Bulletin MS03-026
    Microsoft Security Bulletin MS04-011

    This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.

    Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine. It also drops other malicious files, which is detected by Trend Micro as TROJ_ROOTDROP.A, TROJ_ROOTKIT.H, WORM_MYTOB.Q.

    Technical details can be found at Trend Micro page.

  • Will Sobig Strike Again?
  • 8/17: Mydoom-T Copies Itself in Emails
  • 2/2: Symbos_Locknut-A Hits Symbian Devices
  • A New Breed of Phish
  • Spam Foes Worry New FTC Rule Not Enough
  • A case study in security incident forensics and response.
  • Under the Radar: IM Emerging as a Stealth Threat
  • New Tool Streamlines Management of Personal Identity Data
  • 1/3: Sdbot-SW Worm Hits Remote Shares
  • 6/14: Dansh.worm!irc an IRC Bot
  • 3/7: Forbot-EP Worm Targets Remote Shares
  • Security Camera Companies and products