W32/Mytob.AG Worm

 Virus Information - W32/Mytob.AG Worm:

W32/Mytob.AG is a mass mailing worm. This worm is a variant of W32/Mytob.A. The worm will infect Windows systems and spreads through email.

The infected mail 'From' address prefix will be any one of the following;

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, claudia, dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda, maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom.

the suffix after '@' character will be any one of the following domains;

hotmail.com
cia.gov
fbi.gov
yahoo.com
juno.com
msn.com
aol.com

The worm may also carry spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Good day
hello
status
Mail Transaction Failed
error
SERVER REPORT
Mail Delivery System
(Variable String)

The infected attachment will be any one of the following;

message
document
doc
body
data
file
test
text
readme
(Varible String)

with any one of these extensions;

pif, scr, zip, bat, exe, zip.

The body of the infected mail will be any one of the following;

Mail transaction failed. Partial message is available

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Here are your banks documents.

The message contains Unicode characters and has been sent as a binary attachment.

The original message was included as an attachments.

Upon execution, the worm copies these files:

sysconf.exe in the Windows System folder.
funny pic.scr, see_this!!.pif and my_photo2005.scr in the root of C: drive.

It also drops hellmsn.exe in the root of C: drive.

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the domain names from the infected system..

adb, asp, dbx, htm, php, pl, sht, tbb, wab.

The worm generates email addresses using one of the following names as the prefix before '@' and the suffix as one of the domain names collected.

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, claudia, dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda, maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom.

The worm attempts to locate SMTP server by appending the following prefixes to the domain names collected from the infected system. On successful SMTP server access it mails itself to the produced email addresses.

mx.
ns.
relay.
mail1.
mxs.
mx1.
smtp.
mail.
gate.

The worm tries to block access to some security related websites.