W32/Mytob-P

W32/Mytob-P is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-P spreads by sending itself as an email attachment to email addresses it harvests from the infected computer. The worm sets up an IRC backdoor allowing remote intruders unauthorised control of the infected computer.

W32/Mytob-P sends emails with the following characteristics:

Subject line:

Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Security measures
Email Account Suspension
Notice of account limitation

Message text:

Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.

The original message has been included as an attachment.

We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

We attached some important information regarding your account.

Please read the attached document and follow it's instructions.

W32/Mytob-P is a mass-mailing worm and IRC backdoor Trojan.

W32/Mytob-P spreads by sending itself as an email attachment to email addresses it harvests from the infected computer. The worm sets up an IRC backdoor allowing remote intruders unauthorised control of the infected computer.

W32/Mytob-P sends emails with the following characteristics:

Subject line:

Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Security measures
Email Account Suspension
Notice of account limitation

Message text:

Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.

The original message has been included as an attachment.

We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

We attached some important information regarding your account.

Please read the attached document and follow it's instructions.

When first run W32/Mytob-P copies itself to <System>\Lientjeuh.exe.

The following registry entries are created to run Lientjeuh.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
http://www.lienvandekelder.be
Lientjeuh.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
http://www.lienvandekelder.be
Lientjeuh.exe

W32/Mytob-P sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

W32/Mytob-P modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.oxyd.fr
127.0.0.1 oxyd.fr
127.0.0.1 www.t35.com
127.0.0.1 t35.com
127.0.0.1 www.t35.net
127.0.0.1 t35.net

W32/Mytob-P terminates the following applications and security-related processes:

ackwin32, adaware, advxdwin, agentsvr, agentw, alertsvc, alevir, alogserv, amon9x, anti-trojan, antivirus, ants, apimonitor, aplica32, apvxdwin, arr, atcon, atguard, atro55en, atupdater, atupdater, atwatch, au, aupdate, aupdate, auto-protect.nav80try, autodown, autodown, autotrace, autotrace, autoupdate, autoupdate, avconsol, ave32, avgcc32, avgctrl, avgnt, avgserv, avgserv9, avguard, avgw, avkpop, avkserv, avkservice, avkwctl9, avltmain, avnt, avp, avp32, avpcc, avpdos32, avpm, avptc32, avpupd, avpupd, avsched32, avsynmgr, avwinnt, avwupd, avwupd32, avwupd32, avwupsrv, avxmonitor9x, avxmonitornt, avxquar, avxquar, backweb, bargains, bd_professional, beagle, belt, bidef, bidserver, bipcp, bipcpevalsetup, bisp, blackd, blackice, blss, bootconf, bootwarn, borg2, bpc, brasil, bs120, bundle, bvt, ccapp, ccevtmgr, ccpxysvc, cdp, cfd, cfgwiz, cfiadmin, cfiaudit, cfiaudit, cfinet, cfinet32, claw95cf, clean, cleaner, cleaner3, cleanpc, click, cmd, cmd32, cmesys, cmgrdian, cmon016, connectionmonitor, cpd, cpf9x206, cpfnt206, ctrl, cv, cwnb181, cwntdwmo, datemanager, dcomx, defalert, defscangui, defwatch, deputy, divx, dllcache, dllreg, doors, dpf, dpfsetup, dpps2, drwatson, drweb32, drwebupw, dssagent, dvp95, dvp95_0, ecengine, efpeadm, emsw, ent, esafe, escanhnt, escanv95, espwatch, ethereal, etrustcipe, evpn, exantivirus-cnet, exe.avxw, expert, explore, f-prot, f-prot95, f-stopw, fameh32, fast, fch32, fih32, findviru, firewall, fnrb32, fp-win, fp-win_trial, fprot, frw, fsaa, fsav, fsav32, fsav530stbyb, fsav530wtbyb, fsav95, fsgk32, fsm32, fsma32, fsmb32, gator, gbmenu, gbpoll, generics, gmt, guard, guarddog, hacktracersetup, hbinst, hbsrv, hotactio, hotpatch, htlog, htpatch, hwpe, hxdl, hxiul, iamapp, iamserv, iamstats, ibmasn, ibmavsp, icloadnt, icmon, icsupp95, icsuppnt, idle, iedll, iedriver, iexplorer, iface, ifw2000, inetlnfo, infus, infwin, init, intdel, intren, iomon98, istsvc, jammer, jdbgmrg, jedi, kavlite40eng, kavpers40eng, kavpf, kazza, keenvalue, kerio-pf-213-en-win, kerio-wrl-421-en-win, kerio-wrp-421-en-win, kernel32, killprocesssetup161, launcher, ldnetmon, ldpro, ldpromenu, ldscan, lnetinfo, loader, localnet, lockdown, lockdown2000, lookout, lordpe, lsetup, luall, luall, luau, lucomserver, luinit, luspt, mapisvc32, mcagent, mcmnhdlr, mcshield, mctool, mcupdate, mcupdate, mcvsrte, mcvsshld, md, mfin32, mfw2en, mfweng3.02d30, mgavrtcl, mgavrte, mghtml, mgui, minilog, mmod, monitor, moolive, mostat, mpfagent, mpfservice, mpftray, mrflux, msapp, msbb, msblast, mscache, msccn32, mscman, msconfig, msdm, msdos, msiexec16, msinfo32, mslaugh, msmgt, msmsgri32, mssmmc32, mssys, msvxd, mu0311ad, mwatch, n32scanw, nav, navap.navapsvc, navapsvc, navapw32, navdx, navlu32, navnt, navstub, navw32, navwnt, nc2000, ncinst4, ndd32, neomonitor, neowatchlog, netarmor, netd32, netinfo, netmon, netscanpro, netspyhunter-1.2, netstat, netutils, nisserv, nisum, nmain, nod32, normist, norton_internet_secu_3.0_407, notstart, npf40_tw_98_nt_me_2k, npfmessenger, nprotect, npscheck, npssvc, nsched32, nssys32, nstask32, nsupdate, nt, ntrtscan, ntvdm, ntxconfig, nui, nupgrade, nupgrade, nvarch16, nvc95, nvsvc32, nwinst4, nwservice, nwtool16, ollydbg, onsrvr, optimize, ostronet, otfix, outpost, outpost, outpostinstall, outpostproinstall, padmin, panixk, patch, pavcl, pavproxy, pavsched, pavw, pcfwallicon, pcip10117_0, pcscan, pdsetup, periscope, persfw, perswf, pf2, pfwadmin, pgmonitr, pingscan, platin, pop3trap, poproxy, popscan, portdetective, portmonitor, powerscan, ppinupdt, pptbc, ppvstop, prizesurfer, prmt, prmvr, procdump, processmonitor, procexplorerv1.0, programauditor, proport, protectx, pspf, purge, qconsole, qserver, rapapp, rav7, rav7win, rav8win32eng, ray, rb32, rcsync, realmon, reged, regedit, regedt32, rescue, rescue32, rrguard, rshell, rtvscan, rtvscn95, rulaunch, run32dll, rundll, rundll16, ruxdll32, safeweb, sahagent, save, savenow, sbserv, sc, scam32, scan32, scan95, scanpm, scrscan, setupvameeval, setup_flowprotector_us, sfc, sgssfw32, sh, shellspyinstall, shn, showbehind, smc, sms, smss32, soap, sofi, sperm, spf, sphinx, spoler, spoolcv, spoolsv32, spyxx, srexe, srng, ss3edit, ssgrate, ssg_4104, st2, start, stcloader, supftrl, support, supporter5, svc, svchostc, svchosts, svshost, sweep95, sweepnet.sweepsrv.sys.swnetsup, symproxysvc, symtray, sysedit, system, system32, sysupd, taskmg, taskmgr, taskmo, taskmon, taumon, tbscan, tc, tca, tcm, tds-3, tds2-nt, teekids, tfak, tfak5, tgbob, titanin, titaninxp, tracert, trickler, trjscan, trjsetup, trojantrap3, tsadbot, tvmd, tvtmd, undoboot, updat, update, update, upgrad, utpost, vbcmserv, vbcons, vbust, vbwin9x, vbwinntw, vcsetup, vet32, vet95, vettray, vfsetup, vir-help, virusmdpersonalfirewall, vnlan300, vnpc3000, vpc32, vpc42, vpfw30s, vptray, vscan40, vscenu6.02d30, vsched, vsecomr, vshwin32, vsisetup, vsmain, vsmon, vsstat, vswin9xe, vswinntse, vswinperse, w32dsm89, w9x, watchdog, webdav, webscanx, webtrap, wfindv32, whoswatchingme, wimmun32, win-bugsfix, win32, win32us, winactive, window, windows, wininetd, wininit, wininitx, winlogin, winmain, winnet, winppr32, winrecon, winservn, winssk32, winstart, winstart001, wintsk32, winupdate, wkufind, wnad, wnt, wradmin, wrctrl, wsbgate, wupdater, wupdt, wyvernworksfirewall, xpf202en, zapro, zapsetup3001, zatutor, zonalm2601, zonealarm, _avp32, _avpcc, _avpm.exe