W32/MyTob!dam

Visible Symptoms

• Damaged version of Mytob variants may arrive in an email as if it were the fully functional worm. However, the file is truncated and cannot run.

Detailed Analysis

• Detected file is no longer infectious and is a damaged version of the 32bit virus - damaged files have major truncation of code and cannot run.
  
  
• Damaged Mytob samples may arrive within an email from infected clients. However, it is important to note that the From  portion of the email address is spoofed.
  
  
• The emails may have the following format:
  
  Possible Subject Lines:
  
  
  • Your password has been updated
  • Your password has been successfully updated
  • You have successfully updated your password
  • Your new account password is approved
  • Your Account is Suspended
  • *DETECTED* Online User Violation
  • Your Account is Suspended For Security Reasons
  • Warning Message: Your services near to be closed.
  • Important Notification
  • Members Support
  • Security measures
  • Email Account Suspension
  • Notice of account limitation
  
  Possible Single-line Body Texts:
  
  
  • Here are your banks documents.
  • The original message was included as an attachment.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • Mail transaction failed. Partial message is available.
  
  Possible Attachments: [Filename].[Extension]

  [Filename] can be a random string of characters or any of the following:
  
  

  • body
  • data
  • doc
  • document
  • file
  • message
  • readme
  • test
  • text

  [Extension] can be any of the following:
  
  

  • pif
  • scr
  • exe
  • cmd
  • bat
  • zip