Yellow Alert - WORM_MYTOB.MX - 24.11.2005 (Yellow Alert):
Trend Micro has declared a Yellow outbreak regarding a new variant of the Sober worm: WORM_MYTOB.MX.
This memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send the said email message even without using other mailing applications, such as Microsoft Outlook.
This worm gathers target email addresses from the Temporary Internet files folder, as well as from files with certain extension names. Moreover, this worm obtains target recipients from the user's Windows Address Book (WAB). Users who receive the malicious email may think that it comes from a known source. Thus, they confidently run the attachment.
It may spoof the From field of the email message that it sends using a list of familiar names as part of its social engineering technique.
It also queries the message exchange servers of the gathered email addresses by appending the domain names of the said email addresses to certain strings.
This worm also propagates via network shares. It searches for available shared folders within the network and attempts to drop copies of itself into these shares. It also generates random IP addresses and attempts to drop copies of itself into the said addresses' default shares. It uses the account details of the currently logged user to gain access to password-protected shares.
This worm also has backdoor capabilities. Using varying ports, it connects to an Internet Relay Chat (IRC) server and joins a specific IRC channel, where it listens for commands from a remote malicious user. The said routine provides remote users virtual control over affected systems, thus compromising system security.
It can also set up a File Transfer Protocol (FTP) server using a random port. Once the affected system is transformed into an FTP server, it can be used by the remote user to download and upload files without the user's knowledge or consent.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYTOB.MX
