W32/Mytob-EC is a worm and IRC backdoor Trojan for the Windows platform.
W32/Mytob-EC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Mytob-EC copies itself to <Windows system folder>\memloader.exe.
The following registry entries are created to run memloader.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM MEMORY LOADER
memloader.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM MEMORY LOADER
memloader.exe
W32/Mytob-EC sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Emails sent by W32/Mytob-EC sends emails in the following format, with details filled in to make the email look more authentic:
Subject line:
"Your password has been updated"
"Your password has been successfully updated"
"You have successfully updated your password"
"Your new account password is approved"
"Your Account is Suspended"
"*DETECTED* Online User Violation"
"Your Account is Suspended For Security Reasons"
"Warning Message: Your services near to be closed."
"Important Notification"
"Members Support"
"Security measures"
"Email Account Suspension"
"Notice of account limitation"
Message text:
"Dear <name> Member,
You have successfully updated the password of your <name> acccount.
If you did not authorize this change or if you need assistance with your account, please contact <name> customer
service
Thank you for using <name>!
The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ <name> Antivirus - www.<name>"
"Dear user <name>,
It has come to our attention that your <name> User Profile ( x ) records are out of date. For further details see
the attached document.
Thank you for using <name>.
The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ <name> Antivirus - www.<name>"
"Dear <name> Member,
We have temporarily suspended your email account <name>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due
to an internal error within our
processors.
Sincerely,The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ <name> Antivirus - www.<name>"
"Dear <name> Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages
during the recent week. If you
could please take 5-10 minutes out of your online experience and confirm the
attached document so you will not
run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your
membership.
Virtually yours,
The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ <name> Antivirus - www.<name>"
Attached file:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
The attachments have a file extension of .DOC, followed by many spaces, then one of the following so that the file will be executed when opened:
PIF
SCR
EXE
CMD
BAT
W32/Mytob-EC harvests email addresses from files on the infected computer and from the Windows address book as well as the Microsoft Internet Account Manager.
W32/Mytob-EC may also attempt to download files from the Internet and steal system information.
W32/Mytob-EC terminates system and anti-virus related processes including CMD.EXE, TASKMON.EXE and REGEDIT.EXE.
W32/Mytob-EC also appends the following mappings to the HOSTS file to deny
access to trading, financial and security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-EC (detected as W32/Mytob-Fam) since version 3.96.