W32/Mytob-M

Please follow the instructions for removing worms.

If you are running Sophos Anti-Virus for Windows, version 6.0, you should follow our instructions for removing worms.

If you use any of our other products please read the instructions for removing W32/Mytob-M.

W32/Mytob-M is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-M runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels, including the ability to download and execute files on the infected computer.

W32/Mytob-M can spread by sending itself as an email attachment to email addresses it harvests from the infected computer, either as an attachment with a double-extension or as a ZIP file containing a file with a double-extension. Emails sent by the worm have the following characteristics:

Subject line:
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Security measures
Email Account Suspension
Notice of account limitation

Message body:
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.

The original message has been included as an attachment.

We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

We attached some important information regarding your account.

Please read the attached document and follow it's instructions.

Attachment base name:
email-info
email-doc
information
account-details
document
INFO
instructions
info-text
information

First extension (of attachment or of file inside ZIP):
doc
htm
txt

Second extension (of attachment or of file inside ZIP):
pif
scr
exe
cmd
bat

If the attachment is a ZIP file it will have the same base name as the double-extension file inside.

Example attachment names include document.txt.pif and information.doc.cmd, usually with a large number of spaces between the extensions. W32/Mytob-M is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-M runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels, including the ability to download and execute files on the infected computer.

W32/Mytob-M can spread by sending itself as an email attachment to email addresses it harvests from the infected computer, either as an attachment with a double-extension or as a ZIP file containing a file with a double-extension. Emails sent by the worm have the following characteristics:

Subject line:
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Security measures
Email Account Suspension
Notice of account limitation

Message body:
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.

The original message has been included as an attachment.

We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

We attached some important information regarding your account.

Please read the attached document and follow it's instructions.

Attachment base name:
email-info
email-doc
information
account-details
document
INFO
instructions
info-text
information

First extension (of attachment or of file inside ZIP):
doc
htm
txt

Second extension (of attachment or of file inside ZIP):
pif
scr
exe
cmd
bat

If the attachment is a ZIP file it will have the same base name as the double-extension file inside.

Example attachment names include document.txt.pif and information.doc.cmd, usually with a large number of spaces between the extensions.

W32/Mytob-M copies itself to the Window system folder with the filename "Lien vd Kelder.exe" and sets the following registry entries to run itself on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
http://www.lienvandekelder.be
"Lien vd Kelder.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
http://www.lienvandekelder.be
"Lien vd Kelder.exe"

W32/Mytob-M sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

W32/Mytob-M attempts to terminate a large number of processes related to security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE and NETSTAT.EXE.

W32/Mytob-M modifies the Windows hosts file in order to block access to the following security-related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.oxyd.fr
127.0.0.1 oxyd.fr
127.0.0.1 www.t35.com
127.0.0.1 t35.com
127.0.0.1 www.t35.net
127.0.0.1 t35.net