Worm:Win32/Mytob.RW

Worm:Win32/Mytob.RW is a member of Win32/Mytob - a family of worms that spreads in a variety of ways. The worm can spread by exploiting several known Windows vulnerabilities, via fixed or removable drives, or by sending a copy of itself via email, Windows Live Messenger, or Windows Messenger.

When executed, Worm:Win32/Mytob.RW copies itself to the following locations:

• c:\recycler\s-1-5-21-1482476501-1644491937-6820033³0-1013\postcard.exe
• c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\postcard.exe

As a part of its installation process, the malware may modify the following registry entry in order to run at system start:

Adds value: StubPath
With data: "c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\postcard.exe"
To subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}

The malware creates the following files on an affected computer:

The malware utilizes code injection in order to hinder detection and removal. When Worm:Win32/Mytob.RW executes, it may inject code into running processes, including the following, for example:

Removable drives

Worm:Win32/Mytob.RW copies itself to the following locations on removable drives:

• <targeted drive>:\recycler\s-1-5-21-1482476501-1644491937-6820033³0-1013\postcard.exe
• <targeted drive>:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\postcard.exe

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer.

It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.

The malware may also create the following files on targeted drives when spreading:

• <targeted drive>:\recycler\s-1-5-21-1482476501-1644491937-6820033³0-1013\desktop.ini
• <targeted drive>:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\desktop.ini

Peer-to-Peer file sharing
The malware may attempt to spread via Peer-to-Peer(P2P) file sharing by copying itself to the shared folders of particular P2P file sharing applications. The worm copies itself to the shared folders of these applications using file names designed to entice other users of the file sharing network into downloading and running copies of the worm.

The following table details this behavior:

 

If the following programs are installed:	Then the malware may copy itself to the following folders:	Using one of the following file names:
eMule grokster kazaa limewire Morpheus Tesla WinMX	%programfiles%\emule\incoming\ %programfiles%\grokster\my grokster\ %programfiles%\kazaa lite k++\my shared folder\ %programfiles%\kazaa lite\my shared folder\ %programfiles%\kazaa\my shared folder\ %programfiles%\limewire\shared\ %programfiles%\morpheus\my shared folder\ %programfiles%\tesla\files\ %programfiles%\winmx\shared\	absolute video converter 3.07.exe acker dvd ripper 2008.exe adobe acrobat reader keygen.exe adobe soundbooth cs3.exe anti-trojan elite v4.01.exe aol password cracker.exe ashampoo powerup v3.10.exe bitdefender antivirus 2008 keygen.exe boilsoft dvd ripper 2.82.exe canvas security framework 2008 limited with 50 0day.exe cleanmypc registry cleaner v4.02.exe daemon tools pro 4.10.218.0.exe divx 5.0 pro keygen.exe download boost 2.0.exe email spider.exe error doctor 2008.exe google adsense clicking bot.sfx.exe hotmail account bruteforcer bot.exe hotmail spammer bot.exe icepack idt gold edition 2008 leaked.exe microsoft visual basic keygen.exe microsoft visual c++ keygen.exe microsoft visual studio keygen.exe mirc keygen.exe norton anti-virus 2008 enterprise crack.exe password cracker.exe pc secuity tweaker 7.6.exe prorat 2.0 special edition.exe shadow security scanner 10 gold.exe sophos antivirus updater bypass.exe super utilities pro 2008 8.0.1980.exe superram 5.1.28.2008.exe tarantula full version cracked by razor.exe tcn iso cable modem hacking tools.exe tcn iso sigmax2 firmware.bin.exe vmware esx gsx server keygen.exe vmware keygen.exe vmware workstation 6 windows keygen.exe windows 2003 advanced server keygen.exe wow glider incl serial.sfx.exe youtube music downloader 1.0.exe yzdock machintos osx like toolbar for windows.exe

Allows backdoor access and control

Worm:Win32/Mytob.RW attempts to connect to an IRC server at sco.rs-forum.biz via TCP port 6667, join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:

This malware description was produced and published using our automated analysis system's examination of file SHA1 c813fd341a74c72cf7c86d27520ef4cfc39efea4.