Home Products Articles Links Internet Marketing & SEO Contact Us

Home » Articles » Anitivirus Software

Mytob.BI worm

From Mary Landesman,

Jun 1 2005

Discovered May 31, 2005, Mytob.BI is a mass-mailing email worm that compromises system security by terminating processes related to various antivirus software, disabling the XP SP2 firewall, and modifying the HOSTS file to prevent access to antivirus updates and certain other websites. Mytob.BI also includes an IRCbot that allows remote attackers to gain access to compromised systems.

Detected by antivirus vendor Trend Micro as WORM_MYTOB.BI, Mytob.BI has several different aliases, including: W32.Mytob.CU@mm, W32/Mytob, and Win32.Mytob.DO.

Email characteristics

The Subject line of the Mytob.BI generated email may be random or may be any one of the following:

*DETECTED* Online User Violation
*WARNING* Your Email Account Will Be Closed
Account Alert
Email Account Suspension
Important Notification
Notice of account limitation
Notice: **Last Warning**
Notice:***Your email account will be suspended***
Security measures
Your Email Account is Suspended For Security Reasons
The message body of the Mytob.BI generated email may be any one of the following:

Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.

Please read the attached document and follow it's instructions.

The original message has been included as an attachment.
We attached some important information regarding your account.

We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
The attached filename may be random or may be named any one of the following:

account-details
document
email-doc
email-info
info
information
info-text
instructions
The file extension will be one of the following: BAT, CMD, EXE, PIF, SCR, or ZIP.

Note that by default, executable file extension viewing is disabled in Windows. (The article Executable File Extensions explains how to enable viewing of executable extensions).

Method of infection

If the infected attachment is opened, Mytob.BI drops a copy of itself as 'Lien Van de Kelderrr.exe' in the Windows system folder and modifies the Registry to load when Windows is started:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
http://www.lienvandekelder.be = "Lien Van de Kelderrr.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
http://www.lienvandekelder.be = "Lien Van de Kelderrr.exe"

Mytob.BI attempts to download and execute a file located on a remote website. That file, a downloader Trojan, is saved to the root directory of the local drive as system.exe. In turn, the Trojan downloads and installs MediaTickets adware, which tracks which ads users click on and may display pop-up advertising.

Removal Instructions

Scan the system with up-to-date antivirus software to detect and remove this threat. But as the saying goes, an ounce of prevention is worth a pound of cure. See How to Prevent Mytob for tips on protecting yourself from this threat.

Mytob-BI worm

You are in Home » Articles » Anitivirus Software » Virus Descriptions
Related Web Pages On Net

Copyright © 2005 Genuine Infotech Private Limited - Software Development and Software Outsourcing Company in India
Feel free to Contact us  for your Outsourcing Software development Job Work from India