W32.Mytob@mm
W32.Mytob.B@mm
W32.Mytob.L@mm
W32.Mytob.M@mm
W32.Mytob.R@mm
W32.Mytob.U@mm
W32.Mytob.V@mm
W32.Mytob.AG@mm
W32.Mytob.AH@mm
W32.Mytob.AS@mm
W32.Mytob.BV@mm
W32.Mytob.CF@mm
W32.Mytob.CH@mm

License: Freeware

Download security software: Symantec W32.Mytob@mm Free Removal Tool 1.50

Developer: Symantec Corp.

- Terminates the W32.Mytob@mm processes
- Deletes the W32.Mytob@mm files
- Deletes the registry values that the W32.Mytob@mm added

If you are on a network or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and Internet. Disable or password-protect file sharing, or set the shared files to Read Only, before reconnecting the computers to the network or to the Internet.

Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not re-infect the computer after it has been removed, Symantec suggests sharing with Read Only access or by using password protection.

How to run the tool:

- Double-click the FixMytob.exe file to start the removal tool.
- Click Start to begin the process, and then allow the tool to run.
- Restart the computer.
- Run the removal tool again to ensure that the system is clean.
- If you are running Windows Me/XP, then re-enable System Restore.
- If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.

About the worm

When W32.Mytob is executed, it performs the following actions:

1. Creates a copy of itself as %System%sky.exe.
   
   
   
2. Adds the value:
   
   "WINDOWS SKY" = "sky.exe"
   
   to the registry subkeys:
   
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
   RunServices
   
   so that the worm runs every time Windows starts.
   
   
3. Harvests email addresses from files with the following extensions:
   
   
   • .adb*
   • .asp*
   • .dbx*
   • .htm*
   • .php*
   • .sht*
   • .tbb*
   • .wab
     
     Avoids sending a copy of itself to email addresses containing any of the following strings:
     
     
   • abuse
   • accoun
   • admin
   • administrator
   • anyone
   • bsd
   • bugs
   • certific
   • contact
   • fcnz
   • feste
   • gold-certs
   • google
   • help
   • hostmaster
   • icrosoft
   • help
   • info
   • linux
   • listserv
   • mail
   • nobody
   • noone
   • not
   • nothing
   • ntivi
   • page
   • postmaster
   • privacy
   • rating
   • register
   • root
   • samples
   • secur
   • service
   • site
   • soft
   • somebody
   • someone
   • submit
   • support
   • the.bat
   • unix
   • webmaster
   • you
   • your
     
     Avoids sending a copy of itself to email addresses that contain any of the following domain names:
     
     
   • .gov
   • .mil
   • acketst
   • arin.
   • berkeley
   • borlan
   • bsd
   • example
   • fido
   • foo.
   • fsf.
   • gnu
   • google
   • gov.
   • hotmail
   • iana
   • ibm.com
   • icrosof
   • ietf
   • inpris
   • isc.o
   • isi.e
   • kernel
   • linux
   • math
   • mit.e
   • mozilla
   • msn.
   • mydomai
   • nodomai
   • panda
   • pgp
   • rfc-ed
   • ripe.
   • ruslis
   • secur
   • sendmail
   • sopho
   • syma
   • tanford.e
   • unix
   • usenet
   • utgers.ed
     
     
4. Appends the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
   
   
   • gate
   • mail
   • mail1
   • mx.
   • mx1
   • mxs
   • ns
   • relay
   • smtp
     
     
5. Uses its own SMTP engine to send itself to the email addresses that it finds in the compromised computer. The email has the following characteristics:
   
   From:
   One of the following:
   
   
   • adam
   • alex
   • alice
   • andrew
   • anna
   • bill
   • bob
   • brenda
   • brent
   • brian
   • claudia
   • dan
   • dave
   • david
   • debby
   • fred
   • george
   • helen
   • jack
   • james
   • jane
   • jerry
   • jim
   • jimmy
   • joe
   • john
   • jose
   • julie
   • kevin
   • leo
   • linda
   • maria
   • mary
   • matt
   • michael
   • mike
   • peter
   • ray
   • robert
   • sam
   • serg
   • smith
   • stan
   • steve
   • ted
   • tom
     
     Notes:
   • The above strings may be followed by a domain that was found on the compromised computer.
   • The worm may also spoof an address from one of those found on the computer.
     
     Subject:
     One of the following:
     
     
   • Notice: **Last Warning**
   • SUSPENDED ACCOUNT
   • Your Email Account is Suspended For Security Reasons
   • Notice:***Your email account will be suspended***
   • Your Email Account Has been Blocked
   • *WARNING* Your email Account Will Be Closed
   • Security measures
   • Email Account Suspension
   • *IMPORTANT* Please Validate Your Email Account
     
     Message:
     One of the following:
     
     
   • Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
   • We have temporarily limited access to sensitive account features. Please see the attached document for more information
   • We have suspended some of your email services, to resolve the problem you should read the attached document.
   • To safeguard your email account from possible termination, Please follow the instructions in the attached file.
   • Account Information Are Attached!
     
     Attachment:
     One of the following:
     
     
   • email-info
   • email-doc
   • information
   • INFO
   • instructions
   • info-text
     
     with one of the following extensions:
     
     
   • .bat
   • .cmd
   • .exe
   • .pif
   • .scr
   • .zip
     
     
6. May set up an FTP server on a random port.
   
   
7. Opens a back door by connecting to an IRC channel on the irc.blackcarder.net domain. The worm then listens for commands that allow a remote attacker to perform any of the following actions:
   
   
   • Execute files.
   • Download files.
   • Remove, terminate, or update the worm.
     
     
8. Blocks access to several security-related Web sites by appending the following text to the Hosts file:
   
   

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com