Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-DC (detected as W32/Mytob-Fam) since version 3.94.
W32/Mytob-DC is a mass-mailing worm with backdoor functionality for the Windows platform.
W32/Mytob-DC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Mytob-DC spreads by exploiting computers vulnerable to the LSASS (MS04-011) exploit and by sending itself as an email attachment. Emails sent by the worm have the following characteristics:
Subject:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day
Body:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents.
Attachment filenames:
body
message
test
data
file
text
readme
document
When first run W32/Mytob-DC copies itself to:
\mypic003.scr
\mypic004.scr
\mypic005.scr
<Windows system folder>\taskgmrr.exe
and creates the file \mngr32.exe.
The file mngr32.exe is detected as W32/Mytob-D.
The following registry entries are created to run taskgmrr.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK32
taskgmrr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK32
taskgmrr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK32
taskgmrr.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK32
taskgmrr.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK32
taskgmrr.exe
HKCU\Software\Microsoft\OLE
WINTASK32
taskgmrr.exe
HKLM\SOFTWARE\Microsoft\Ole
WINTASK32
taskgmrr.exe
The following patches for the operating system vulnerabilities exploited by W32/Mytob-DC can be obtained from the Microsoft website:
MS04-011