Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


MYTOB VARINATS SPREADS IN THE WILD

Virus Name  : W32/Mytob.gen

Alias             : W32/Mydoom.gen@MM, W32.Mytob.C@mm, W32/Mytob-KD, WORM_MYDOOM.GEN, I-Worm/Mydoom

Virus type    : Internet Worm

Threat level : Medium

Virus details :

                     Mytob is a mass mailing worm, uses e-mail addresses collected from the infected system to distribute infected messages. It also spreads using the DCOM RPC vulnerability and the Microsoft Windows Local Security Authority Service Remote Buffer Overflow vulnerability. The infected attachment name, subject and message body is randomly chosen by the worm. 

                     The infected mail from address prefix will be one of the following. "adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, claudia, dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda, maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom"

                     The infected mail from address suffix will be one of the following. "aol.com, cia.gov, fbi.gov, hotmail.com, juno.com, msn.com, or yahoo.com."

The message body will be

The original message was included as an attachment.

"Mail transaction failed. Partial message is available."

"The message contains Unicode characters and has been sent as a binary
attachment."

"The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment."

"I have received your document. The corrected document is attached."

                     When the infected file is executed, copies itself to Windows System folder as msnmsgs.exe file in the background. It also drops hellmsn.exe, funny pic.scr, photo album.scr and eminem vs 2pac.scr in the infected system.

                     W32.Mytob modifies registry run section to load automatically on the next startup. The registry modification is given below.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "MSN MESSENGER" = "msnmsgs.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"MSN MESSENGER" = "msnmsgs.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"MSN MESSENGER" = "msnmsgs.exe"

                     W32.Mytob.gen uses its own SMTP engine to send infected mails. It also blocks access to antivirus software sites. Mytob opens a back door on TCP port 10087.This worm is also known as W32/Mydoom.gen@MM, W32.Mytob.C@mm, W32/Mytob-KD, WORM_MYDOOM.GEN, I-Worm/Mydoom.

How can I protect my system?

                   Solo has incorporated W32.Mytob.gen in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Worm?

                   Solo antivirus can detect and remove W32.Mytob.U@mm aka W32/Mytob.gen safely. If you are already infected with this Worm, you can remove it from your computer using Solo Antivirus software.  Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link