W32/Mytob-BC is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-BC can harvest email addresses from files on the infected computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Notice:***Your email account will be suspended***
YOUR EMAIL ACCOUNT ACCESS IS RESTRICTED
Your Email Account is Suspended For Security Reasons
Your email account access is restricted
Notice:**Last Warning**
Email Account Suspension
*IMPORTANT* Your Account Has Been Locked
Security Measures
*IMPORTANT* PLEASE VALIDATE YOUR EMAIL ACCOUNT
<random>
Message body:
Please see the attachment.
please look at attached document.
We have suspended some of your email services, to resolve the problem you should read the attached document.
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
To unblock your email account acces, please see the attachment.
To safeguard your email account from possible termination, please see the attached file.
Account Information Are Attached!
<random>
W32/Mytob-BC is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-BC can harvest email addresses from files on the infected computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Notice:***Your email account will be suspended***
YOUR EMAIL ACCOUNT ACCESS IS RESTRICTED
Your Email Account is Suspended For Security Reasons
Your email account access is restricted
Notice:**Last Warning**
Email Account Suspension
*IMPORTANT* Your Account Has Been Locked
Security Measures
*IMPORTANT* PLEASE VALIDATE YOUR EMAIL ACCOUNT
<random>
Message body:
Please see the attachment.
please look at attached document.
We have suspended some of your email services, to resolve the problem you should read the attached document.
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
To unblock your email account acces, please see the attachment.
To safeguard your email account from possible termination, please see the attached file.
Account Information Are Attached!
<random>
When first run the worm copies itself to <SYSTEM>\1hellbot.exe.
The following registry entries are created to run 1hellbot.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HELLBOT TEST
1hellbot.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HELLBOT TEST
1hellbot.exe
The worm sets the following registry entry to reduce system security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
W32/Mytob-BC blocks access to security-related websites by writing the folllowing entries to the Windows hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com