W32/Mytob-BD

Aliases	Net-Worm.Win32.Mytob.bd
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email messages
Affected operating systems	Windows
Included in our products from	July 2005 (3.95)
Protection available since	7 June 2005 02:18:43 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Mytob-BD is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-BD spreads by sending an email containing a fake URL link which points to a remote website containing a sample of W32/Mytob-BD. When the link is clicked, a sample of W32/Mytob-BD is downloaded and executed. W32/Mytob-BD is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.

When first run W32/Mytob-BD copies itself to the Windows system folder as test2.exe and creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
test2.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
test2.exe

W32/Mytob-BD also disables the Windows XP firewall by changing the following default registry entry from:

from:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
00000003

to:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
00000004

W32/Mytob-BD terminates system and anti-virus related processes including CMD.EXE, TASKMON.EXE and REGEDIT.EXE.

W32/Mytob-BD also appends the following mappings to the HOSTS file to deny access to trading, financial and security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

Emails sent by W32/Mytob-BD have the following properties:

Subject lines chosen from:

'Notice: **Last Warning**'
'*IMPORTANT* Please Validate Your Account'
'Account Alert'
'Important Notification'
'*IMPORTANT* Please Confirm Your Account'
'Security measures'
'Notice of account limitation'

Message text is of the following format:

'Dear Valued Member,

According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.

http://www.<domain name>/confirm.php?email=<email address>

Thank you for your attention to this question. We apologize for any inconvenience.

Sincerely, <company name> Security Department Assistant.'

The URL link is faked and points to a remote website containing a sample of W32/Mytob-BD. When the link is clicked, a sample of W32/Mytob-BD is downloaded and executed.

W32/Mytob-BD harvests email addresses from files on the infected computer and from the Windows address book as well as the Microsoft Internet Account Manager.

W32/Mytob-BD may also attempt to download files from the Internet and steal system information.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Mytob-BD

Summary

Action

More Information