W32/MyTob.AS@mm

Alias/esNet-Worm.Win32.Mytob.bk [KAV], W32.Mytob.ED@mm [NAV], W32/MyTob.AS@mm, W32/Mytob.ch@MM [McAfee], W32/MyTob.FK-mm, W32/Mytob.FK@mm [F-Prot], WORM_MYTOB.EE [Trend]
Release DateMay 12, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.338
Description

Visible Symptoms

  • Possible firewall alert that an executable attempting to connect to the Internet and function as a server

  • Possible termination of the firewall or other security application, including Antivirus monitors

  • Compromised systems may be slow to respond due to heavy outbound traffic on TCP port 445 with other machines

  • Creation of files onto the local system in root of the active drive and also commonly into the System32 folder. The names of the files dropped may have .SCR or .PIF file extensions

     

Detailed Analysis

This variant of the MyTob family varies slightly among its family. All MyTob viruses follow a similar scheme:

  • copy itself to the local system

  • search for email addresses in files

  • send itself by SMTP [self contained engine]

  • connect with an IRC server to receive instructions or await commands from a malicious user

  • prevent the infected system from connecting to update servers and various other security related web pages - this is done by hacking the local "hosts" file and adding entries redirecting the call to specific web sites by domain name to the local host

The variants will differ slightly with regard to packed file size and actual file names created on the host however the functionality of the viruses remain the same.

Description Last Updated Date: Mar 13, 2007
Reference: ID - 72365