Aliases: W32/Mytob!gen
Variants: Win32.Mytob.DM, Win32.Mytob.DO, Net-Worm.Win32.Mytob.bb, bf, W32/Mytob.bh

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: North and South America, Asia, Europe, Austalia, Africa
Removal: Easy
Platform: W32
Discovered: 03 Jun 2005
Damage: Low

Characteristics: This worm is part of the Mytob family of mass mailing worms. This family of worms has backdoor capabilities and they use their own simple mail transfer protocol (SMTP) engine for sending infected emails to email addresses it has collected from the victim machine. The backdoor can also be used by the worm’s author for sending instructions.

More details about W32.Mytob!gen

This malware will create several mutexes so that only a single instance of the worm is running in the victim machine at a given time. The worm then copies its code as a file with an .exe file extension. The W32.Mytob!gen worm will also add one of its predetermined values to several registry subkeys so that it can launch each time the operating system is started. It is critical to note that this worm has the ability to recreate its predefined registry entries if they are removed from the victim machine. This security risk collects email addresses from files with the extensions SHT, HTM, JSP, XML, CGI, ASP, PHP, TBB, DBX, PL, ADB and WAB. The worm however will not send its code to addresses that have security related strings, such as those with the name of antivirus products on them. This malware may add some predetermined prefixes to domain names for finding SMTP servers.

The W32.Mytob!gen worm then attempts to open a backdoor in the compromised machine by establishing a connection to an IRC (Internet Relay Chat) server on the 4512 TCP port. It will then wait for instructions that will permit its remote author to carry out some malicious tasks. These tasks include acquiring the worm’s updated version, downloading and launching files and terminating, updating or removing the worm. This worm can likewise block access to some websites that it deems as security related by appending a text to the Windows Hosts file. It will try to terminate some security related process as well.