/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us
NEW DELHI: PandaLabs has detected the appearance of four new variants (S, U, V and W) of the Mytob worm. All of these variants have backdoor Trojan characteristics, i.e. they leave a backdoor open on the system to receive commands.
According to the company, this process is not carried out directly, but using servers called 19.xx or .biz (in the case of variants S, U and W), and irc.blackcarder.net, which is used by MyTob.V. This allows their creator to take control of any computers infected with these variants of Mytob, states a company press release.
According to the company, one of the greatest dangers of this worm lies in its ability to modify system "hosts" files. It does this to prevent users connecting to the web pages of certain antivirus developers. Because of this modification, infected users won't be able to receive the updates needed to eliminate this malicious code.
The worm uses three different methods to spread. Exploiting the known LSASS vulnerability, published and corrected by Microsoft in the MS04-011 security bulletin, available at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx, through shared resources protected with weak passwords and by email. Sending messages with an attachment containing the Mytob code with one of the following extensions: .bat, .exe, .pif, .scr or .zip. The attached file could be called Data, Doc, Document, File, Readme, Text or Body, among others.
It sends itself to addresses it finds on the infected system in files with .adb, .asp, .dbx, .htm, .php, .pl, .sht and .tbb extensions and in the Windows address book. The extensions used depend on the variant of Mytob. Mytob does not send itself out to certain email addresses (including those that contain the word "panda"), in an attempt, albeit unsuccessful, to impede its detection.
To prevent more than one copy of the worm running at the same time on the system, it creates different mutex, which vary according to the specific version of Mytob. The S version creates the mutex "ggmutexk2", the U variant creates "ggmutexk1", the V version "H-E-L-L-B-O-T-2-BY-DIABLO" and the W variant creates a mutex called "H-E-L-L-B-O-T".