Protector Plus Download Antivirus
Home
Download Antivirus
Antivirus Products
Order Antivirus


Antivirus Software for Windows XP/2000/2003
Antivirus Software for Windows Me/98
Antivirus Software for Exchange 2000/2003
Antivirus Software for NetWare

W32/Mytob.BB Worm

NameW32/Mytob.BB Worm
AliasesW32.Mytob.CU@mm, WORM_MYTOB.AR
Discovered on 30th May, 2005

 Virus Information - W32/Mytob.BB Worm:

W32/Mytob.BB is a mass mailing worm. This worm is a variant of W32/Mytob.A. The worm will infect Windows systems and spreads through email.

The infected mail 'From' address prefix will be any one of the following;

adam, alex, alice, andrew, anna, bill, bob, brenda, brent, brian, claudia, dan, dave, david, debby, fred, george, helen, jack, james, jane, jerry, jim, jimmy, joe, john, jose, julie, kevin, leo, linda, maria, mary, matt, michael, mike, peter, ray, robert, sam, sandra, serg, smith, stan, steve, ted, tom .

the suffix after '@' character will be any one of the following domains;

hotmail.com
cia.gov
fbi.gov
yahoo.com
juno.com
msn.com
aol.com

The worm may also carry spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
Security measures
Notice: **Last Warning**
*WARNING* Your Email Account Will Be Closed
Email Account Suspension
Notice of account limitation
[Variable string]

The infected attachment will be any one of the following;

email-doc
email-info
account-details
document
information
instructions
INFO
info-text
information
[Variable String]

with any one of these extensions;

exe, pif, scr, zip, bat, cmd.

The body of the infected mail will be any one of the following;

We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.

The original message has been included as an attachment.

We attached some important information regarding your account.

Please read the attached document and follow it's instructions.

Upon execution of the infected attachment, the worm copies itself as lien van de kelder.exe in the Windows System folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system.

adb, asp, dbx, htm, php, pl, sht, tbb, wab.

The worm attempts to locate SMTP server by appending the following prefixes to the domain names collected from the infected system. On successful SMTP server access it mails itself to the produced email addresses.

mx.
ns.
relay.
mail1.
mxs.
mx1.
smtp.
mail.
gate.

Anti virus for Windows Download Now!

Home Page Download Antivirus Antivirus Products Order Antivirus

Copyright © 2005 Proland Software.All rights reserved

antivirus software, anti virus software, anti virus, download antivirus, download anti virus, free antivirus, free anti virus, antivirus, download, free, windows, windows xp, xp, sp2, windows me, windows 2000, 98, 95, nt, me, 2003, netware, anti-virus, virus, worm, trojan, protector, plus, proland, virus software, spyware