W32/Mytob-HF is a mass-mailing worm and IRC backdoor Trojan for the Windows platform.
W32/Mytob-HF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Messages sent by the worm will have the following characteristics.
Subject title chosen from:
<random characters>
Message text:
Dear user [recipients user name],
Your account has been flagged for suspicious behavior by our antispam mail relay
Read the attachment for instructions on how to clear your account, failure to comply will result in account termination.
Thank you for using [recipients domain]!
The [recipients domain] Support Team
+++ Scanned with AVG - Attachment Clean
+++ [recipients domain] Antivirus - www.[recipients domain]
Attachment name:
<random characters>
W32/Mytob-HF is a mass-mailing worm and IRC backdoor Trojan for the Windows platform.
W32/Mytob-HF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Mytob-HF copies itself to <System>\plugnplay32.exe.
The following registry entries are created to run plugnplay32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Plug and Play
plugnplay32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Plug and Play
plugnplay32.exe
W32/Mytob-HF sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).
Messages sent by the worm will have the following characteristics.
Subject title chosen from:
<random characters>
Message text:
Dear user [recipients user name],
Your account has been flagged for suspicious behavior by our antispam mail relay
Read the attachment for instructions on how to clear your account, failure to comply will result in account termination.
Thank you for using [recipients domain]!
The [recipients domain] Support Team
+++ Scanned with AVG - Attachment Clean
+++ [recipients domain] Antivirus - www.[recipients domain]
Attachment name:
<random characters>
W32/Mytob-HF also appends the following to the HOSTS file to deny access to security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com