W32/Mytob-Fam

Please follow the instructions for removing worms.

The name W32/Mytob-Fam is used where a file belongs to a particular family of worms, but the variant is not separately identified. Sophos's proactive protection technology will identify such files as a -Fam variant.

1. Ensure that you are using the most recent IDE files, as more precise detection could now be available. If necessary
   • update with the latest IDE files and
   • repeat the scan.
2. Please send us a sample to assist in improving our technology.
3. Use the instructions for removing generically detected files to delete the file from your computer.
4. If you require further assistance with disinfection, contact support.

W32/Mytob-Fam is a family of mass-mailing worms with IRC backdoor functionality. W32/Mytob-Fam is a family of mass-mailing worms with IRC backdoor functionality.

Some members of W32/Mytob-Fam also spread across networks by exploiting vulnerabilities including LSASS. The following patches for the operating system vulnerabilities exploited by W32/Mytob-Fam can be obtained from the Microsoft website:

MS04-011

Members of W32/Mytob-Fam usually copy themselves to the Windows system folder and create entries at some of the following location in the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\System\CurrentControlSet\Control\Lsa
HKLM\Software\Microsoft\OLE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\System\CurrentControlSet\Control\Lsa
HKCU\Software\Microsoft\OLE

Some members of W32/Mytob-Fam also copy themselves to the root folder, often with files with SCR extensions.

Some members of W32/Mytob-Fam modifiy the HOSTS file to prevent access to various anti-virus and security-related websites.

Members of W32/Mytob-Fam use their own SMTP engine to send themselves to email addresses harvested from files on the infected computer and from the Windows address book, but usually will avoid addresses containing certain strings.