W32/Mytob.NH Worm

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Mytob.NH Worm

Information about the W32/Mytob.NH Worm:

W32/Mytob.NH is an email worm. This worm is a variant of W32/Mytob. The worm will infect Windows systems and spreads through email.

The subject of the infected mail will be Account Alert.

The body of the infected mail will be;

Dear Valued Member,

According to our terms of service, you will have to confirm your e-mail by the following link or your account will be suspended within 24 hours for security reasons.

http://www.[domain name]/confirm.php?email=[email address]

After following the instructions in the sheet, your account will not be interrupted and will continue as normal.

Thanks for your attention to this request. We apologize for any inconvenience.

Sincerey,[domain name] Security Department

The URL in the mail will be redirected to http://[blocked]/~nesher it contains the malicious file Confirm_Sheet.pif. When the link is executed it download a copy of worm into the system.

Upon execution, the worm copies itself as netsvc.exe in the Windows System Folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system.

adb, asp, cgi, dbx, htm, jsp, php, sht, tbb, wab and xml.

It can also generate email address by adding the following name to the domain name gathered from previously collected email addresses.

alice, steve, robert, peter, michael, smith, maria, julie, linda, jerry, kevin, jimmy, brent, helen, george, debby, claudia, james, brian, david, brenda and andrew.

The worm mails itself to these addresses using its own SMTP engine.

The worm also tries to terminate some of the security related processes and prevents access to some of the security related websites.

The worm also has backdoor capabilities that connect to IRC Internet Relay Chat server using variable ports. It also modifes the Hosts file.

This worm first appeared on December 05, 2005.

Other names of W32/Mytob.NH Worm:

This Worm is also known as WORM_MYTOB.NH.

Click here to download a 30 day Evaluation Copy of
Protector Plus anti virus software for your operating system

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus 2007 is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

Special Offer Order Protector Plus Antivirus software Now and get SpamChoke Antispam Software worth $29.95 FREE!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus anti virus software