Operating System » MS Windows » Windows - Virus Protection » Alert: Computer Virus Outbreaks » Mytob Computer Virus

Mytob Computer Virus

W32.Mytob is a mass-mailing worm with back door capabilities that uses its own SMTP engine to send email to addresses that it gathers from the compromised computer. Mytob virus comes as an attachment in a zip file with a script file "test.scr" inside. If user double click on the script file it will execute the Mytob computer virus. Once executed, it performs the following actions:

  • Copies itself as:
    %System% askgmr.exe
    %System% ethell.exe
    Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

  • Drops the file %SystemDrive%hellmsn.exe which then creates the following copies of the worm:
    C:funny pic.scr, C:photo album.scr, C:eminem vs 2pac.scr
    Note: %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

  • Adds the value: "WINTASK" = "taskgmr.exe" to the registry subkeys:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    RunServices
    HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
    HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
    HKEY_CURRENT_USERSoftwareMicrosoftOLE
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE
    so that it runs every time Windows starts. The worm will continuously check for the presence of these registry keys and recreate them if they are deleted.

  • The worm creates a mutex so that only one instance of the worm is run on the compromised computer. This is use to gather email addresses from the Windows Address Book and from the following folders: %Windir%Temporary Internet Files; %Userprofile%Local SettingsTemporary Internet Files; %System%. Searches for email addresses in files on fixed and RAM drives with the following strings in their extensions: .adb*; .asp*; .dbx*; .htm*; .php*; .pl; .sht*; .tbb*;
    .wab*. Then uses its own SMTP engine to send itself to the email addresses that it finds.

  • Connects to a predetermined IRC channel on the irc.blackcarder.net or diablo.corsforcors.com domains and listens for commands. The commands will allow the remote attacker to perform activity like download and execute files or even to restart the computer.

  • Blocks access to several security-related Web sites (symantec.com, mcafee.com, etc) by appending the following text to the Hosts file.

  • It then scan for shared folders the worm may drop file taskgmr.exe into various folder.

Updated On: 12.07.11

Tagged By: Mydoom, Doomjuice, Mytob Open Source Viruses, Zotob Computer Virus.

Leave your message, comment or feedback:
Your Name (shown) & Your E-mail (hidden) is used only to alert you when someone reply your message.