W32/Mytob.JH is a mass mailing worm. This worm is a variant of W32/Mytob.A. The worm will infect Windows systems and spreads through email.
The infected email carries a spoofed 'From' address picked up randomly from the infected system
The subject of the infected mail will be;
<random characters> Members Support Security measures Important Notification Email Account Suspension Your Account is Suspended Notice of account limitation Your Account is Suspended For Security Reasons Warning Message: Your email account is suspended.
The body of the infected mail will be;
Dear (random name) Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the attached details to reactivate your account.
Sincerely,The (random name) Support Team
Dear (random name) Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
Virtually yours,
The (random name) Support Team
The name of the infected attachment will be any one of the following;
readme document information account-info email-details account-report account-details important-details <random characters>
The extension of the infected attachment will be single or double. The first extension can be any one of the following;
zip, bat, cmd, exe, pif, scr, txt, htm or doc
The second extension can be any one of the following;
exe, pif or scr
Upon execution of the infected attachment, the worm copies itself as sysmls.exe in Windows System folder.
The worm modifies registry at the following location to load itself during each startup.
The worm also attempts to register itself as a new system driver service named "Wins Driver" with a display name of "Win32 Driver" and a startup type of automatic, so that it is started automatically during system startup.
To propagate itself, the worm collects all the available email addresses from the Windows address book (WAB) of the infected system.
The worm mails itself to these addresses using its own SMTP engine.
It also alters the HOSTS file to prevent access to some websites.
The worm also spreads to other computers on the network by exploiting common buffer overflow vulnerabilities, including:
LSASS (MS04-011) and ASN.1 (MS04-007) which includes the following functionalities:
download code from the internet perform DDoS services perform port scanning setup a SOCKS4 proxy server steal information including credit card, passwords and login account information related to paypal.com
You can check your system for other Windows Vulnerabilities using the Protector Plus - Windows Vulnerability Scanner. It guides you to update with the right patch to make your system secure.
You can download and learn more about Protector Plus - Windows Vulnerability Scanner at the following location:
Proland
Software is the developer of Protector Plus range of antivirus software
packages. Protector Plus 2007 is available for Windows Vista, Windows 95/98/Me, Windows
XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS
and NetWare servers.
Protector Plus range of antivirus products
offer on-line virus detection and removal. All the packages have the ability
to detect and isolate all types of viruses, trojans, worms and other types
of malware.
These products are updated on a continuous basis and the latest upgrades
for all the platforms are made available for downloading from this site.
About
Protector Plus Antivirus Software Packages:
<random characters>
