Summary of W32/Mytob.EK@mm
Mytob.gen is detected by using generic detection. As a result, behavior and file names can differ between various Mytob.gen detections.
Mytob is a worm that spreads by mass-mailing itself to addresses found on the victim computer.
Mytob starts by initiating network sockets, if that fails it exits. It creates a Mutex to ensure that only one copy is running at the time, if it fails to create the mutex then it exits, this usually means that there is already another Mytob running using the same mutex name.
Mytob copies itself to the system directory under a different name and adds itself to the registry to ensure it is run on every startup.
Mytob drops several files into the root of the C: drive, usually under one of the following names:
Mytob also modifies the HOSTS file that resolves domain names to IPs so that the user cannot access common security pages, including www.microsoft.com. Probably to block virus signature updates and/or downloads.
Mytob gathers e-mail addresses from the affected computer and then sends itself to these addresses in forged e-mails.
When active, and when the infected computer is connected to the Internet, the worm connects to a IRC bot-net. While on the bot-net the victims computer can be ordered to do DOS attacks, download programs and execute them(spreading new malware anonymously) and/or do other malicous deeds.
The worm is also capable of disabling the Windows firewall and dropping other malware and executing these. However, this behavior varies between Mytob variants.
|Removal Instructions||For general removal instructions please click here.|
|Guidelines on Safe Computing|
- Make sure you always have the
version of F-Prot Antivirus
installed on your computer and
update the virus signature files
- Be extremely careful when opening e-mail from anyone you do not know. Attachments are especially dangerous. Never run an attachment unless you know exactly what it is, even if it appears to have been sent to you by someone you know. Most worms have the ability to falsify the "From" address.
- Make sure that your operating system
is up-to-date. If you are using Windows,
use Windows Automatic Updates and
download the service packs when they are
released. For more information on keeping
Windows up-to-date, please visit
Windows Update web site.
- If you are using
Internet Explorer / Outlook Express
or Office / Outlook, make
sure that you always have the latest versions. Old versions may contain
security holes that are used by virus writers to access your computer. Please visit
Windows Update web site to update Internet Explorer and Outlook Express and
Office Update web site to update Office and Outlook.
- Use a firewall. When you are browsing the Internet, the firewall creates a shield between your computer and
possible malicious content on the Internet. For more information click
- Scan all removable media (CD-ROMs, floppy disks, USB keys, external hard drives etc.) before you open or run any content on it.
- Scan all files that you receive through the IRC, MSN, ICQ, Kazaa and other such on-line services.
- Use software that detects ad-ware and spyware. For more information click