W32/Mytob.BZ Worm

 Information about the W32/Mytob.BZ Worm:

W32/Mytob.BZ is an email worm. This worm is a variant of W32/Mytob.A. The worm will infect Windows systems. The worm spreads through email and network.

The worm exploits LSASS vulnerability present in Windows as explained by Microsoft Security Bulletin MS04-011.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Mail Transaction Failed
readme
document
Status
Good day
Mail Delivery System
Server Report
message

The body of the infected mail will be any one of the following;

Here are your banks documents.
This is a multi-part message in MIME format.
The original message was included as an attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The infected attachment will be any one of the following;

readme
document
Status
message

The extension of the infected attachment will be any one of the following;

bat, cmd, exe, pif, zip or scr.

Upon execution of the infected attachment, the worm copies itself as taskgmr.exe in the Windows System folder.

Microsoft has released the patch for the MS04-011 vulnerability. It can be downloaded from the following link;

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Users should apply the patch downloaded from the link provided above to remove the vulnerability inherent in the system.

The worm modifies registry at the following location to load itself during each startup;

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

To propagate itself, the worm collects all the available email addresses from the Windows Address Book (WAB) of the infected system.

The worm mails itself to these addresses using its own SMTP engine.

The worm also has the backdoor capabilities. It connects to the Internet Relay Chat (IRC) server. After the connection is established, it joins an IRC channel and listens for commands coming from a remote malicious user.

It also modifies the HOSTS file.

The worm also tries to terminate some of the security related processes and prevents access to some of the security related websites.

This worm first appeared on October 24, 2005.

 Other names of W32/Mytob.BZ Worm:

This Worm is also known as W32/Mytob-BZ.