W32/Mytob.E Worm

 Virus Information - W32/Mytob.E Worm:

W32/Mytob.E is a mass mailing worm. This worm is a variant of W32/Mytob.A. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

(Blank Subject)
Good day
hello
status
test
Mail Transaction Failed
error
SERVER REPORT
Mail Delivery System
(Variable Strings)

The infected attachment will be any one of the following;

message
document
doc
body
data
file
readme
test
text
(Variable String)

The extension of the infected attachment will be any one of the following;

pif
cmd
scr
zip
bat
exe

The body of the infected mail will be any one of the following;

(Variable Strings)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

test

The message contains Unicode characters and has been sent as a binary attachment.

(Blank body)

Upon execution of the infected attachment, the worm copies itself as taskgmr.exe in the Windows System folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system.

txt, htm, sht, php, asp, dbx, tbb, adb, pl, wab

It also collects email addresses from the Temporary Internet Files folder and from all the drives in the hard disk.

The worm mails itself to these addresses using its own SMTP engine.