Wednesday, April 06, 2005

- A wave of variants of the Mytob worm -

MADRID, April 5 2005. PandaLabs has detected the appearance of four new variants (S, U, V and W) of the Mytob worm in just a few hours.

All of these variants have backdoor Trojan characteristics, i.e. they leave a backdoor open on the system to receive commands. This process is not carried out directly, but using servers called (in the case of variants S, U and W), and, which is used by MyTob.V. This allows their creator to take control of any computers infected with these variants of Mytob.

One of the greatest dangers of this worm lies in its ability to modify system "hosts" files. It does this to prevent users connecting to the web pages of certain antivirus developers. Because of this modification, infected users won't be able to receive the updates needed to eliminate this malicious code.

The worm uses three different methods to spread:

- Exploiting the known LSASS vulnerability, published and corrected by Microsoft in the MS04-011 security bulletin, available at

- Through shared resources protected with weak passwords, i.e. ones that are easy to guess.

- By email. Sending messages with an attachment containing the Mytob code with one of the following extensions: .bat, .exe, .pif, .scr or .zip. The attached file could be called Data, Doc, Document, File, Readme, Text or Body, among others.

It sends itself to addresses it finds on the infected system in files with .adb,.asp, .dbx, .htm, .php, .pl, .sht and .tbb extensions and in the Windows address book. The extensions used depend on the variant of Mytob. As is becoming common practice with malicious code that spreads by email, the address of the sender is spoofed to help prevent infected computers from being rapidly pinpointed.

Mytob does not send itself out to certain email addresses (including those that contain the word "panda"), in an attempt, albeit unsuccessful, to impede its detection.

To prevent more than one copy of the worm running at the same time on the system, it creates different mutex, which vary according to the specific version of Mytob. The S version creates the mutex "ggmutexk2", the U variant creates "ggmutexk1", the V version "H-E-L-L-B-O-T-2-BY-DIABLO" and the W variant creates a mutex called "H-E-L-L-B-O-T".

As is becoming common lately, the author or authors of these worms are trying to unleash the largest number of malicious code possible in order to increase the probability of computers being infected. This time, as these are worms that allow remote control of affected computers, it is obvious that their aim is to create a network of computers that can be controlled at the same time. This would allow the attacker to carry out many different malicious actions, from mass installing other malware, like keyloggers or spyware, to creating 'zombies' for sending out spam.

Users can scan and disinfect their computers online for free with Panda ActiveScan, available at