W32/Mytob-DH

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-DH (detected as W32/Mytob-Gen) since version 3.94.

W32/Mytob-DH is a mass-mailing worm for the Windows platform.

The worm scans files on the local hard disks for email addresses. and sends an email to those addresses of the following form:
Subject chosen from:
*DETECTED* Online User Violation
<random characters>
EMAIL ACCOUNT SUSPENSION
Important Notification
Members Support
Warning Messasge: Your services near to be closed.
YOU HAVE SUCCESSFULLY UPDATED YOUR PASSWORD
Your Account is Suspended
Your Account is Suspended For Security Reasons
YOUR PASSWORD HAS BEEN SUCCESFULLY UPDATED
Your password has been updated

The from address will be from one of the following:
admin@<domain>
administrator@<domain>
info@<domain>
mail@<domain>
register@<domain>
service@<domain>
support@<domain>
webmaster@<domain>
where <domain> is the same as the email address of the recipient. For example, if the email is to bob@example.com, then it would be from admin@example.com.

And the message text will be:

---
Dear user <user>,

You have successfully updated the password of your <site> account.

Please view the attached file for more information.

If you did not authorize this change or if you need assistance with your account, please contact <site> customer service at: <from address>

Thank you for using <site>!
The <site> Support Team

Attachment: Scan Complete (0 Virus Found)
+++ <site> Antivirus - www.<domain>
---
Where, in the recipient address of bob@example.com, <user> is bob, <site> is Example and <domain> is example.com

When first run W32/Mytob-DH copies itself to <System>\wpwmgrs.exe.

The following registry entries are created to run wpwmgrs.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wpwmgrs
wpwmgrs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
wpwmgrs
wpwmgrs.exe

W32/Mytob-DH sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy