W32/MyTob.MZ@mm

Alias/esEmail-Worm.Win32.Doombot.a [KAV], W32.Mytob.KR@mm [NAV], W32/Mytob-EY [Sophos], W32/MyTob.EY-mm, W32/Mytob.gl@MM [McAfee], W32/MyTob.MZ@mm, W32/Mytob.MZ@mm [F-Prot], WORM_MYTOB.LM [Trend]
Release DateMay 12, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.202
Description

Visible Symptoms

  • Security, Antivirus and debugging software programs and services suddenly terminate after opening an email attachment

  • Creation of the file "winsvc.exe" into the System32 folder

  • Unable to connect with various security websites after becoming infected

  • High CPU usage and utilization due to routines of the virus on an infected system

Detailed Analysis

This threat is a 32bit executable file

Network/Internet:

  • It spreads through mass-emailing

Files:

  • Copies itself to the system

  • Installation to System:

    • When run, it copies itself to:
      %SystemRoot%\%WinDir%\winsvc.exe
    • And creates these registry entries:
      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINDOWS SVC, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WINDOWS SVC

    Spreading in e-mails:

    • Emails it generates use the following subjects randomly:
      Important Notification
      Notice of account limitation
      You have successfully updated your password
      Your Account is Suspended
      Your password has been successfully updated
    • Emails it generates use the following attachment names::
      password.zip
      important-details.zip
      email-password.zip
      account-report.zip
      account-info.zip
      account-details.zip

Description Last Updated Date: Mar 13, 2007
Reference: ID - 99364