FRISK Software International

Summary of W32/Mytob.EK@mm
Risk Level: Low
Jump to:
Brief description
Removal Instructions

Brief Description

Mytob.gen is detected by using generic detection. As a result, behavior and file names can differ between various Mytob.gen detections.

Mytob is a worm that spreads by mass-mailing itself to addresses found on the victim computer.
Mytob starts by initiating network sockets, if that fails it exits. It creates a Mutex to ensure that only one copy is running at the time, if it fails to create the mutex then it exits, this usually means that there is already another Mytob running using the same mutex name.
Mytob copies itself to the system directory under a different name and adds itself to the registry to ensure it is run on every startup.

Mytob drops several files into the root of the C: drive, usually under one of the following names:


Mytob also modifies the HOSTS file that resolves domain names to IPs so that the user cannot access common security pages, including Probably to block virus signature updates and/or downloads.

Mytob gathers e-mail addresses from the affected computer and then sends itself to these addresses in forged e-mails.

When active, and when the infected computer is connected to the Internet, the worm connects to a IRC bot-net. While on the bot-net the victims computer can be ordered to do DOS attacks, download programs and execute them(spreading new malware anonymously) and/or do other malicous deeds.

The worm is also capable of disabling the Windows firewall and dropping other malware and executing these. However, this behavior varies between Mytob variants.

Removal Instructions
For general removal instructions please click here.

Guidelines on Safe Computing
  • Make sure you always have the latest version of F-Prot Antivirus installed on your computer and update the virus signature files regularly:

  • Be extremely careful when opening e-mail from anyone you do not know. Attachments are especially dangerous. Never run an attachment unless you know exactly what it is, even if it appears to have been sent to you by someone you know. Most worms have the ability to falsify the "From" address.

  • Make sure that your operating system is up-to-date. If you are using Windows, use Windows Automatic Updates and download the service packs when they are released. For more information on keeping Windows up-to-date, please visit Microsoft's Windows Update web site.

  • If you are using Internet Explorer / Outlook Express or Office / Outlook, make sure that you always have the latest versions. Old versions may contain security holes that are used by virus writers to access your computer. Please visit Microsoft's Windows Update web site to update Internet Explorer and Outlook Express and Microsoft's Office Update web site to update Office and Outlook.

  • Use a firewall. When you are browsing the Internet, the firewall creates a shield between your computer and possible malicious content on the Internet. For more information click here.

  • Scan all removable media (CD-ROMs, floppy disks, USB keys, external hard drives etc.) before you open or run any content on it.

  • Scan all files that you receive through the IRC, MSN, ICQ, Kazaa and other such on-line services.

  • Use software that detects ad-ware and spyware. For more information click here.


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)