Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Net-Worm.Win32.Mytob.q, W32/Mytob.gen, W32.Mytob.U@mm, WORM_MYTOB.X
Type:Worm 
Size:51.062 bytes 
Origin: 
Date:04-05-2005 
Damage: 
VDF Version:6.30.00.65 
Danger:Low 
Distribution:Medium 

General DescriptionAffected Platforms:
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

SymptomsSpreads itself over MSN Messenger.

DistributionWorm/Mytob has its own SMTP engine. The virulent emails are provided from a list with random content and then sent. Thus are the subjects, bodies and attachments always different:

-SUBJECT: (one of the following) :

- GOOD DAY
- HELLO
- ERROR
- STATUS
- SERVER REPORT
- MAIL DELIVERY SYSTEM
- MAIL TRANSACTION FAILED
- MAIL SYSTEM ERROR - RETURNED MAIL
- DELIVERY REPORTS ABOUT YOUR E-MAIL
- Returned mail: see transcript for details
- Returned mail: Data format error
- Message could not be delivered
- Delivery failed
- Hi

-BODY: (one of the following)

- Mail transaction failed. Partial message is available.

- The message contains Unicode characters and has been sent as a binary attachment.

- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

- The original message was included as an attachment.

- Here are your banks documents.


ATTACHMENT: (one of the following)

body
data
doc
document
file
message
readme
test
text
<%random%>

followed by one of the following extensions:

bat
cmd
exe
pif
scr
zip

Technical DetailsIf Worm/Mytob.W is executed, the worm copies itself as follows:

- <%Rootdir%>\funny_pic.scr
- <%Root%>\see_this!!.scr
- <%Rootdir%>\my_photo2005.scr
- <%Sysdir%>\nethell.exe
- <%Sysdir%>\taskgmr.exe

and creates the following files:

- <%Root%>\hellmsn.exe (6.050 bytes /Worm/Mytob.F.1)
- <%Sysdir%>\2pac.txt (~80 bytes)
- <%Sysdir%>\bingoo.exe (51.200 bytes /Worm/Mytob.W)

Worm/Mytob.W changes the Windows HOSTS file:

- <%Sysdir%>\drivers\etc\hosts

The worm creates the following entries in the Windows Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"WINTASK"="taskgmr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\RunServices]
"WINTASK"="taskgmr.exe"

[HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run]
"WINTASK"="taskgmr.exe"

[HKEY_CURRENT_USER\Software\Microsoft\ OLE]
"WINTASK"="taskgmr.exe"

[HKEY_CURRENT_USER\SYSTEM\CurrentContr olSet\Control\Lsa]
"WINTASK"="taskgmr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Ole]
"WINTASK"="taskgmr.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont rolSet\Control\Lsa]
"WINTASK"="taskgmr.exe"

If one of these: MSN Messenger or Windows Messenger is active, the worm sends a copy of itself to all contacts in the list with the status ONLINE with one of the following filenames:
- funny_pic.scr
- see_this!!.scr
- my_photo2005.scr

The virus Worm/Mytob.W also connects to the IRC Server 19.x*****r.biz on the port 13000.

The worm is listening to the port 16542, waiting for incoming FTP connections.

Worm/Mytob.W adds the following lines to the Windows HOSTS file, so that the websites listed below cannot be accessed:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .