W32/Mytob-G

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Mytob-G is a mass-mailing worm and backdoor Trojan that targets
users of Internet Relay Chat programs. W32/Mytob-G is a mass-mailing worm and backdoor Trojan that targets users of Internet Relay Chat programs.

When first run W32/Mytob-G copies itself to the Windows system folder as tagmr.exe and creates the following registry entries:

HKCU\Software\Microsoft\OLE
Windows Tagmsnger
tagmr.exe

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Windows Tagmsnger
tagmr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Tagmsnger
tagmr.exe

HKLM\SOFTWARE\Microsoft\Ole
Windows Tagmsnger
tagmr.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Windows Tagmsnger
tagmr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Tagmsnger
tagmr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Tagmsnger
tagmr.exe

W32/Mytob-G copies itself to the root folder as:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

and creates the helper file hellmsn.exe (detected by Sophos as W32/Mytob-D) in the same location.

W32/Mytob-G also appends the following to the HOSTS file to deny access to security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy