FANDOM


The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Operations by the Mytob worm.Edit

The mailing component harvests address from the local system. Files with the following extensions are targeted:

  • wab
  • adb
  • tbb
  • dbx
  • asp
  • php
  • sht
  • htm
  • txt
  • pl

The worm avoids certain address, those using the following strings:

  • .gov
  • .mil
  • abuse
  • acketst
  • arin.
  • avp
  • berkeley
  • borlan
  • bsd
  • example
  • fido
  • foo.
  • fsf.
  • gnu
  • google
  • gov.
  • hotmail
  • iana
  • ibm.com
  • icrosof
  • ietf
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • math
  • mit.e
  • mozilla
  • msn.
  • mydomai
  • nodomai
  • panda
  • pgp
  • rfc-ed
  • ripe.
  • ruslis
  • secur
  • sendmail
  • sopho
  • syma
  • tanford.e
  • unix
  • usenet
  • utgers.ed

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

  • sandra
  • linda
  • julie
  • jimmy
  • jerry
  • helen
  • debby
  • claudia
  • brenda
  • anna
  • alice
  • brent
  • adam
  • ted
  • fred
  • jack
  • bill
  • stan
  • smith
  • steve
  • matt
  • dave
  • dan
  • joe
  • jane
  • bob
  • robert
  • peter
  • tom
  • ray
  • mary
  • serg
  • brian
  • jim
  • maria
  • leo
  • jose
  • andrew
  • sam
  • george
  • david
  • kevin
  • mike
  • james
  • michael
  • john
  • alex

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

  • mx.
  • mail.
  • smtp.
  • mx1.
  • mxs.
  • mail1.
  • relay.
  • ns.

AliasesEdit

Net-Worm.Win32.Mytob (AVP), W32.Mytob, W32/Mytob

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.