| Name | Win32.Mytob.qg |
| Threat Level |  |
| Alias | Win32.Mytob.qg,WORM_MYTOB.QG |
| Date | 30 April, 2006 |
| Type | Win32,Worm,Trojan |
| Damage | Create files,Send Email,Lowers security |
| Platform | Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP |
| Analysis |
Win32.Mytob.qg is a mass-mailing worm that also lowers the system's security settings.
The arriving email will have the following characteristics:
Subject: The subject of this mail will be blank, completely random or one of the following:
You have successfully updated your password
Your new account password is approved
Your password has been successfully updated
Your password has been updated
Message body: The body of this mail will usually be pre-generated by the virus from an internal list.
Attached File: The attached file will have one of the following names:
accepted-password
account-password
approved-password
email-password
new-password
password
updated-password
followed by either:
.doc
.tmp
.txt
with a .exe extension.
Malicious activity
When the worm is executed, it does the following:
1. It drops a copy of itself into the default Windows System folder as winhlpapi.exe.
2. To run on every startup, it will modify the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
"WINDOWS" = "\winhlpapi.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunServices
"WINDOWS" = "\winhlpapi.exe"
3. At this point, the worm will modify the following registry entry in order to lower the system's security, by disabling the Windows XP firewall:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess
"Start" = "00000004"
4. Finally, the worm will harvest the system for email addresses and send copies of itself to all contacts found (although some addresses may be avoided by the worm).
eSafe Users
eSafe users are protected against this vandal using the latest vandal/virus update.
A new vandal/virus update is available.
Update date: April 30, 2006
Update version: SV150
eSafe Gateway and eSafe Mail Users
Your product will be automatically updated.
You can also use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions is available from here.
|
