W32/MyTob.MZ@mm - Released Oct 15, 2005 - Last Updated Mar 13, 2007
|
Alias/esEmail-Worm.Win32.Doombot.a [KAV], W32.Mytob.KR@mm [NAV], W32/Mytob-EY [Sophos], W32/MyTob.EY-mm, W32/Mytob.gl@MM [McAfee], W32/MyTob.MZ@mm, W32/Mytob.MZ@mm [F-Prot], WORM_MYTOB.LM [Trend] |
Detection Availability
|
Visible Symptoms
- Security, Antivirus and debugging software programs
and services suddenly terminate after opening an email
attachment
- Creation of the file "winsvc.exe" into the
System32 folder
- Unable to connect with various security websites
after becoming infected
- High CPU usage and utilization due to routines of
the virus on an infected system
|
Detailed AnalysisThis threat is a 32bit executable file Network/Internet: - It spreads through mass-emailing
Files: - Copies itself to the system
Installation to System:
- When run, it copies itself to:
%SystemRoot%\%WinDir%\winsvc.exe - And creates these registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINDOWS SVC, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SVC
Spreading in e-mails:
- Emails it generates use the following subjects randomly:
Important Notification
Notice of account limitation
You have successfully updated your password
Your Account is Suspended
Your password has been successfully updated
- Emails it generates use the following attachment names::
password.zip
important-details.zip
email-password.zip
account-report.zip
account-info.zip
account-details.zip
|
Recommended Action
FortiGate systems:
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option
|
