Summary

The Mytob family is a big family of worms that can spread via email and via security vulnerabilities in the operating system. This is a general description of the family.

Mytob is loosely based on two other worm series: The Mydoom email worms and the SDBot/Spybot network worms. The SDBot series of worms is very common, but does not have email spreading. In addition, SDBots are rather plugin-based and easy to adjust to new technologies, so that they finally got equipped with email-spreading came as no surprise.

They appear to at least initially be spammed out from the author(s). New variants have occurred at a high frequency, with a regularity which looks almost scheduled.

Spreading description

Email: Code lifted from the Mydoom-series of worms. Subject line, body text and attachment names are variable, though attachment names will often have double extensions. The attachment has a probabililty of being a zip archive with the real worm inside. The worm looks inside files found on the local computer for email addresses to use, and can use these both as FROM and TO addresses - i.e. the one you receive mail from does not have to be the one who is infected.

Security vulnerability: Code taken from SDBots. The worm attempts to break the security of other networked computers by sending specially crafted network messages to these. The vulnerability used is mainly the LSASS exploit : http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.  This triggers a download of the worm to the affected computer.

We expect more spread functionality to be added to these worms as time goes by.

Threat description

Many Mytobs include functionality to disable various AV and firewall products. In addition, they will often modify the local HOSTS file, so that internet addresses of known security providers are redirected and thus become unavailable.

It is common that these worms connect to an Internet Relay Chat (IRC) server and join particular chat channels there. Via these chatrooms the worm author can issue commands to the worm, and to a large extent remote control the infected computer.

Removal

The Mytob worms have usually been caught by the proactive Norman Sandbox technology without the need for updates. Exact detection for the first worm in this series, Mytob.A, was added Feb 28th 2005, but it was in reality already covered.

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.