Worm:Win32/Mytob.RQ is a member of
Win32/Mytob - a family of worms that spreads in a variety of ways. The worm can spread by exploiting several known Windows vulnerabilities, via fixed or removable drives, or by sending a copy of itself via email, Windows Live Messenger, or Windows Messenger.
Installation
When executed, Worm:Win32/Mytob.RQ copies itself to <system folder> folder using a variable file name, for example: fopxdq.exe
The malware creates the following files on an affected computer:
Spreads via…
Peer-to-Peer file sharing
Worm:Win32/Mytob.RQ may attempt to spread via Peer-to-Peer(P2P) file sharing by copying itself to the shared folders of particular P2P file sharing applications. The worm copies itself to the shared folders of these applications using file names designed to entice other users of the file sharing network into downloading and running copies of the worm.
The following table details this behavior:
| If the following programs are installed: | Then the malware may copy itself to the following folders: | Using one of the following file names: |
- eMule
- grokster
- kazaa
- limewire
- Morpheus
- Tesla
- WinMX
| - %programfiles%\emule\incoming\
- %programfiles%\grokster\my grokster\
- %programfiles%\kazaa lite k++\my shared folder\
- %programfiles%\kazaa lite\my shared folder\
- %programfiles%\kazaa\my shared folder\
- %programfiles%\limewire\shared\
- %programfiles%\morpheus\my shared folder\
- %programfiles%\tesla\files\
- %programfiles%\winmx\shared\
| - absolute video converter 3.07.exe
- acker dvd ripper 2008.exe
- adobe acrobat reader keygen.exe
- adobe soundbooth cs3.exe
- anti-trojan elite v4.01.exe
- aol password cracker.exe
- ashampoo powerup v3.10.exe
- bitdefender antivirus 2008 keygen.exe
- boilsoft dvd ripper 2.82.exe
- canvas security framework 2008 limited with 50 0day.exe
- cleanmypc registry cleaner v4.02.exe
- daemon tools pro 4.10.218.0.exe
- divx 5.0 pro keygen.exe
- download boost 2.0.exe
- email spider.exe
- error doctor 2008.exe
- google adsense clicking bot.sfx.exe
- hotmail account bruteforcer bot.exe
- hotmail spammer bot.exe
- icepack idt gold edition 2008 leaked.exe
- microsoft visual basic keygen.exe
- microsoft visual c++ keygen.exe
- microsoft visual studio keygen.exe
- mirc keygen.exe
- norton anti-virus 2008 enterprise crack.exe
- password cracker.exe
- pc secuity tweaker 7.6.exe
- prorat 2.0 special edition.exe
- shadow security scanner 10 gold.exe
- sophos antivirus updater bypass.exe
- super utilities pro 2008 8.0.1980.exe
- superram 5.1.28.2008.exe
- tarantula full version cracked by razor.exe
- tcn iso cable modem hacking tools.exe
- tcn iso sigmax2 firmware.bin.exe
- vmware esx gsx server keygen.exe
- vmware keygen.exe
- vmware workstation 6 windows keygen.exe
- windows 2003 advanced server keygen.exe
- wow glider incl serial.sfx.exe
- youtube music downloader 1.0.exe
- yzdock machintos osx like toolbar for windows.exe
|
Payload
Allows backdoor access and control
Worm:Win32/Mytob.RQ attempts to connect to an IRC server at sco.rs-forum.biz via TCP port 6667, join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
This malware description was produced and published using our automated analysis system's examination of file SHA1 99a0b0b300f28c51b1f370025be9ccf182778b8f.
