First discovered in February 2005, the sheer number of Mytob worm variants quickly outpaced the combined totals of the Bagle/Netsky worm wars in early 2004.
The Mytob variants are mass-mailing email worms that compromise system security by terminating processes related to various antivirus software and modifiying the Registry to disable the XP SP2 firewall. Additionally, Mytob modifies the local HOSTS file, redirecting attempts to access certain antivirus and security websites to 127.0.0.1, the local loopback address. This can prevent infected users from obtaining the necessary updates for detection and removal.
Mytob is so named because it contains functional characteristics of both the MyDoom email worm and the Sdbot IRCbot Trojan. The IRCbot capability allows attackers remote access to compromised systems. Some variants also exploit the LSASS vulnerability (MS04-011) and the RCP/DCOM vulnerability (MS03-026), as well as exploiting weak passwords on shared folders and drives.
Prevention
An ounce of prevention truly is worth a pound of cure. Once Mytob gains a foothold, it can prevent antivirus software from detecting and removing it. Your best bet is to make sure it never gets that chance.
- Keep your antivirus software up-to-date, keep realtime protection enabled, and scan your entire system at least weekly.
Top picks for antivirus software - Periodically test your antivirus software with the EICAR test file.
Making and using EICAR - Do not open attachments received unexpectedly, even from someone you know. Most email worms spoof the From address so they nearly always appear to be from someone you know.
More email safety tips - Protect your HOSTS file from unauthorized modifications.
How to protect the HOSTS file - Make sure your Windows patches are up-to-date
Windows Update Center - Check to ensure your firewall is functioning properly.
ShieldsUp!
