English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsNet-Worm.Win32.Mytob.bi

Net-Worm.Win32.Mytob.bi

Detected Dec 24 2005 12:17 GMT
Released Jan 20 2010 17:08 GMT
Published Dec 24 2005 12:17 GMT

Technical Details

This network worm is typical of the Mytob family. It infects computers running under Windows. It spreads via the Internet as an attachment to infected messages, and includes a backdoor program which receives commands via IRC channels.

Installation

Once launched, the worm copies itself to the Windows system directory. IT also registers itself in the Windows system registry, ensuring that the worm will be launched each time Windows is rebooted on the victim machine.

Propagation via email

The worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

Infected messages

Payload

Net-Worm.Win32.Mytob.bi opens a TCP port on the victim machine to contact to IRC channels and receive commands. This gives a remote malicious user full access to the victim machine via IRC channels, making it possible to receive information from the infected computer, download, launch and delete files.

The worm also terminates processes connected with antivirus solutions, firewalls, and other security programs.

The worm also modifies the %System%\drivers\etc\hosts file in order to block access to antivirus vendors' sites from the victim machine.



Print
Bookmark and Share
Share
Viruses and worms
Net-Worm

Net-Worms propagate via computer networks. The distinguishing feature of this type of worm is that it does not require user action in order to spread.

This type of worm usually searches for critical vulnerabilities in software running on networked computers. In order to infect the computers on the network, the worm sends a specially crafted network packet (called an exploit) and as a result the worm code (or part of the worm code) penetrates the victim computer and activates. Sometimes the network packet only contains the part of the worm code which will download and run a file containing the main worm module. Some network worms use several exploits simultaneously to spread, thus increasing the speed at which they find victims.


Other versions
Net-Worm.Win32.Mytob.dc
Net-Worm.Win32.Mytob.eg
Net-Worm.Win32.Mytob.r
Net-Worm.Win32.Mytob.t
Net-Worm.Win32.Mytob.w
Net-Worm.Win32.Mytob.y

Aliases

Net-Worm.Win32.Mytob.bi (Kaspersky Lab) is also known as:

  • Net-Worm.Win32.Mytob.bz (Kaspersky Lab)
  • Virus: W32/Polybot@MM (McAfee)
  • W32/Mytob-DN (Sophos)
  • Worm.Mytob.FG (ClamAV)
  • Malicious Packer (Panda)
  • W32/Mytob.GW@mm (FPROT)
  • Worm:Win32/Gaobot (MS(OneCare))
  • Win32.HLLW.Agobot (DrWeb)
  • Win32/Mytob.FY worm (Nod32)
  • Win32.Worm.Mytob.BI (BitDef7)
  • Worm.Agobot.Wonk (VirusBuster)
  • Win32:Mytob-GI [Wrm] (AVAST)
  • Backdoor.Win32.Agobot (Ikarus)
  • I-Worm/Mytob.JU (AVG)
  • WORM/Mytob.HE (AVIRA)
  • W32.Gaobot.gen!poly (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Worm.Mytob.fr (Rising)
  • Mal_Bot (TrendMicro)
  • Worm.Agobot.Wonk (VirusBusterBeta)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search