W32/Mytob.D creates the mutex "D66" to make sure only one instance of the worm is running.
Prepends the following strings to the domain name, in an attempt to locate a mail server:
gate.
ns.
relay.
mail1.
mxs.
mx1.
smtp.
mail.
mx.
Filesystem
Copies itself to "%WINDIR%\system32\wfdmgr.exe" and executes it.
Searches available hard drives for files with the following extensions:
wab
pl
adb
tbb
dbx
asp
php
sht
htm
and tries to harvest e-mail addresses from them.
Registry
Adds the value:
"LSA"="wfdmgr.exe"
to the following keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
[HKEY_CURRENT_USER\Software\Microsoft\OLE]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]
to make sure it runs every time Windows is started.
Queries the key:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager]
to try to locate a mail server.
Mail routine
Sends itself as an attachment to an e-mail with the following characteristics:
The worm may spoof the e-mail so it looks like its coming from an e-mail address %name%@%domain%
where %name% is one of the following:
sandra
linda
julie
jimmy
jerry
helen
debby
claudia
brenda
anna
alice
brent
adam
ted
fred
jack
bill
stan
smith
steve
matt
dave
dan
joe
jane
bob
robert
peter
tom
ray
mary
serg
brian
jim
maria
leo
jose
andrew
sam
george
david
kevin
mike
james
michael
alex
john
and %domain% is one of the following:
hotmail.com
yahoo.com
msn.com
aol.com
Subject is one of the following:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Attaches itself as the file %filename%.%ext%.
Where %filename% is one of the following:
body
message
test
data
file
text
doc
readme
document
and %ext% is one of the following:
bat
cmd
exe
scr
pif
doc
txt
htm
tmp
zip
Avoids sending itself to e-mail addresses containing the following strings:
accoun
certific
listserv
ntivi
support
icrosoft
admin
page
the.bat
gold-certs
ca
feste
submit
not
help
service
privacy
somebody
no
soft
contact
site
rating
bugs
me
you
your
someone
anyone
nothing
nobody
noone
webmaster
postmaster
samples
info
root
be_loyal:
mozilla
utgers.ed
tanford.e
pgp
acketst
secur
isc.o
isi.e
ripe.
arin.
sendmail
rfc-ed
ietf
iana
usenet
fido
linux
kernel
google
ibm.com
fsf.
gnu
mit.e
bsd
math
unix
berkeley
foo.
.mil
gov.
.gov
ruslis
nodomai
mydomai
example
inpris
borlan
sopho
panda
hotmail
msn.
icrosof
syma
avp
.edu
abuse
| 