Discovered May 30, 2005, Mytob.AR is a mass-mailing email worm that compromises system security by terminating processes related to various antivirus software, disabling the XP SP2 firewall, and modifying the HOSTS file to prevent access to antivirus updates and certain other websites. Mytob.AR also exploits the LSASS vulnerability (MS04-011) in order to spread. Mytob.AR includes an IRCbot that allows remote attackers to gain full access to compromised systems.
Detected by antivirus vendor Trend Micro as WORM_MYTOB.AR, Mytob.AR has several different aliases, including: Worm.Mytob.CG, Worm/Mytob.EA, Win32/Mytob.CZ, W32/Mytob.gen@MM, Net-Worm.Win32.Mytob.bb, Win32.Mytob.DM, W32.Mytob.CU@mm, Malware.b, W32.Mydoom.gen@mm, Win32.Mytob.DM, Win32/Mydoom.gen
Email characteristics
The Subject line of the Mytob.AR generated email may be random or may be any one of the following:
- *DETECTED* Online User Violation
- *IMPORTANT* Please Validate Your Email Account
- *IMPORTANT* Your Account Has Been Locked
- *WARNING* Your Email Account Will Be Closed
- Account Alert
- Email Account Suspension
- Important Notification
- Notice of account limitation
- Notice: **Last Warning**
- Notice:***Your email account will be suspended***
- Security measures
- Your email account access is restricted
- Your Email Account is Suspended For Security Reasons
The message body of the Mytob.AR generated email may be any one of the following:
- Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
- please look at attached document.
- Please read the attached document and follow it's instructions.
- Please see the attachement.
- The original message has been included as an attachment.
- To safeguard your email account from possible termination, please see the attached file.
- To unblock your email account acces, please see the attachement.
- We attached some important information regarding your account.
- We have suspended some of your email services, to resolve the problem you should read the attached document.
- We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
The attached filename may be random or may be named any one of the following:
- account-details
- document
- document_full
- email-doc
- email-info
- info
- information
- info-text
- instructions
- your_details
The file extension will be one of the following: BAT, CMD, EXE, PIF, SCR, or ZIP. Note that by default, executable file extension viewing is disabled in Windows. (The article Executable File Extensions explains how to enable viewing of executable extensions).
Method of infection
If the infected attachment is opened, Mytob.AR drops a copy of itself as LIEN VAN DE KELDER.EXE in the Windows system folder and modifies the Registry to load when Windows
is started:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
http://www.lienvandekelder.be = "Lien Van de Kelder.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
http://www.lienvandekelder.be = "Lien Van de Kelder.exe"
Mytob.AR attempts to download and execute a file located on a remote website. That file, a downloader Trojan, is saved to the root directory of the local drive as system.exe. In turn, the Trojan downloads and installs MediaTickets adware, which tracks which ads users click on and may display pop-up advertising.
Removal Instructions
Scan the system with up-to-date antivirus software to detect and remove this threat. But as the saying goes, an ounce of prevention is worth a pound of cure. See How to Prevent Mytob for tips on protecting yourself from this threat.
