Win32/Mytob is a family of mass-mailing worms that targets computers running certain versions of Microsoft Windows. The worm can spread by exploiting Windows vulnerabilities that are fixed by installing Microsoft Security Updates MS03-026 and MS04-011. The worm can also spread by sending a copy of itself through e-mail, MSN Messenger, or Windows Messenger.
Win32/Mytob can spread in several ways:
By sending a copy of itself as an e-mail attachment to addresses gathered from an infected computer and from Web site queries.
By sending a copy of itself in a message using MSN Messenger or Windows Messenger.
By copying itself to writeable network shares that have weak passwords.
By exploiting the DCOM RPC buffer overflow vulnerability that is fixed in Microsoft Security Bulletin MS03-026. This vulnerability allows an attacker to send and run a copy of the worm to other computers.
By exploiting the LSASS buffer overflow vulnerability that is fixed in Microsoft Security Bulletin MS04-011. This vulnerability allows an attacker to send and run a copy of the worm to other computers.
When Win32/Mytob runs, it may take the following actions on the infected computer:
Copy itself to one or more files.
Modify a number of Windows registry keys.
Connect to an IRC server and channel to receive commands from attackers and allow access to the computer.
Install a rootkit and hide the worm process.
Start MSN Messenger or Windows Messenger in the background, if the program is not already running, and use the Messenger program to spread.
Modify the Windows system hosts file to prevent the computer from accessing certain security-related Web sites.
Gather e-mail addresses from the computer or from Web site queries.
Send e-mail to those addresses, attaching a copy of itself. The e-mail contains a fabricated sender, subject line, message body text, and attachment name. The worm runs when a user opens the e-mail attachment that contains the worm.