Win32.Worm.Mytob.BC
( Net-Worm.Win32.Mytob.bc, W32/Mytob-CP )
|
Spreading:
|
very low
|
|
|
Damage:
|
very low
|
|
Size:
|
60 KB
|
|
Discovered:
|
2005 May 31
|
SYMPTOMS:
- Anti-virus/firewall is disabled
- File: LIEN VAN DE KELDERRR.EXE in the Windows System32 directory
- File: HOSTS overwritten to disable some antivirus sites access
TECHNICAL DESCRIPTION:
The worm comes by mail with the following characteristics:
From: spoofed
Subject: one of the following:
- Notice: **Last Warning**
- *DETECTED* Online User Violation
- Your Email Account is Suspended For Security Reasons
- Account Alert
- Important Notification
- *WARNING* Your Email Account Will Be Closed
- Security measures
- Email Account Suspension
- Notice of account limitation
Body: one of the following:
- Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
- The original message has been included as an attachment.
- We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
- We attached some important information regarding your account.
- Please read the attached document and follow it's instructions.
Attachment: one of the following:
- email-info
- email-doc
- information
- account-details
- document
- INFO
- instructions
- info-text
- information
with an executable extension (EXE, PIF or SCR).
The worm also has a backdoor behaviour using the IRC protocol.
Removal instructions:
Let BitDefender delete all files found infected with this worm.
ANALYZED BY:
BitDefender Virus Research Team
