Created: 2007-06-25, 20:34:22
Last updated on: 2010-11-26, 09:30:52

Platform: Win32 Type: worm Size: 50838
Date: 2005-04-19

Compressor: UPack
Language: Visual C++
Endangered operating system(s): Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000 all...
Non-endangered operating system(s): Windows 3.xx, DOS, Linux, Unix, Solaris all...


The different antivirus applications use different names for the individual viruses and worms. Sometimes an antivirus application identifies the same individual malware using different names for different copies or different viruses and worms are identified with the same name. The informative list below contains the names for the malware given by the most popular antivirus applications. The names can vary using the different versions of the same antivirus application.

antivirus naming
Avast Win32:Mytob-AW
AVG I-Worm/Mytob.BF
BitDefender Win32.Worm.Mytob.M
e-Trust Win32/Mytob.BI
F-PROT W32/Mytob.BW@mm
F-Secure Net-Worm.Win32.Mytob.m
Ikarus Net-Worm.Win32.Mytob
Kaspersky Net-Worm.Win32.Mytob.m
McAfee W32/Mytob.gen@MM(Virus)
Microsoft Win32/Mytob.Z@mm
NOD32 (ESET) Win32/Mytob.AX
Norton Antivirus W32.Mytob.AH@mm
Panda W32/Mytob.AK.worm
Rising Antivirus
Sophos W32/Mytob-BX
VirusBuster I-Worm.Mytob.BL


The main purpose of viruses and worms spreading on the Internet and local networks is to infect another computer. After this infection malware can modify the system and after a reboot process the malware code can be launched. For this purpose malware usually creates files in the operating system's area and modify the registry. According to this modification of the registry the operating system will execute the malware code as well. Besides, it is possible that they create files in other area (directory) of the file system. It is also possible that viruses and worms create AUTORUN.INF files in the root directories of the drives. In this case - according to the default settings of Windows - it automatically executes the malware once the user opens the root directory of the particular drive.

The worm creates the following files:

In the Windows System32 folder (default: C:\Windows\System32):

  • taskgmr.exe
  • 2pac.txt
  • bingoo.exe

In the root folder of the drive(s):

  • funny_pic.scr
  • hellmsn.exe
  • my_photo2005.scr
  • see_this!!.scr

image image

Win32/Mytob.AX worm creates the following entries in the registry or modifies it (if it exists already):

  • [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa] "WINRUN"="taskgmr.exe"
  • [HKEY_CURRENT_USER\Software\Microsoft\OLE] "WINRUN"="taskgmr.exe"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "WINRUN"="taskgmr.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole] "WINRUN"="taskgmr.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunS
    ervices] "WINRUN"="taskgmr.exe"
  • more...

image image image image image image

Malware can infect other computers using the shared folders. In this case the inquisitive user sitting in the front of the other machine can easily launch the code of the malware.

Win32/Mytob.AX worm uses the following folder as shared folder:

  • ipc$
  • e$
  • profiles$
  • more...

E-mail messages

The main aim of worms spreading in e-mail messages is to infect other computers. For this purpose they create and send e-mail messages to various e-mail addresses. The body of these messages usually include the code of the worm, but it is also possible that only a link is attached into the body and the user downloads the code of the worm. E-mail worms can create e-mail messages with various parameters.

Win32/Mytob.AX worm in order to spread creates e-mail messages and it is used for propagating itself.

For a better spreading e-mail worms and viruses use the attacked computer not only for forwarding its code but for searching potential e-mail addresses. These e-mail addresses are used as the addressee of the e-mail message and/or as the sender. Thus the sender address is modified by the malware.

Win32/Mytob.AX worm searches for e-mail addresses in the Temporary Internet Files directory.

Win32/Mytob.AX worm searches for e-mail addresses in the files with one of the following extensions:

In order to send e-mail messages viruses and worms try to find the used SMTP server on the actual local area network.

Win32/Mytob.AX worm tries to use the actual domain name and the following prefixes as the SMTP server to send e-mail messages:

  • gate.
  • ns.
  • relay.
  • mail1.
  • mxs.
  • more...

The worm uses the Registry entry [HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts] to find an SMTP server.

The characteristics of the e-mail messages are the following:

The sender of the letter can be created using different methods. The possibilities are the following:

The user name in the sender e-mail address can be one of the following:

  • sandra
  • lolita
  • britney
  • bush
  • linda
  • more...

The worm can use the following domain names to create the sender e-mail address:


The worm collects e-mail addresses from the infected or previously infected computers in order to use as sender e-mail address.

Addressee The worm sends the e-mail messages to the collected addresses.

The worm does not send infected email messages to the addresses containing one of the following strings:

  • accoun
  • admin
  • anyone
  • bat
  • bugs
  • more...


The infected e-mail messages can have different Subjects. The possibilities are the following:

The possible Subjects of the infected e-mail message are:

  • Error
  • Good day
  • more...

The worm can use a randomly generated text for the Subject of the infected e-mail message.

The worm can create infected e-mail messages by having a blank Subject field.


The attachment of the e-mail message sent by the worm can be of different types. The possibilities are the following:

The name of the attachment of the e-mail message sent by the worm can be one of the following:

  • body
  • data
  • doc
  • document
  • file
  • more...

The worm can put together the name of the attachment of the outgoing infected e-mail message from randomly selected characters.

The file extension of the attachment of the e-mail message sent by the worm can be one of the following:

image image image

Security holes, vulnerabilities

A virus or worm that circulates on the Internet can utilize not only the interactivity of the user but the unpatched security holes of the operating system or the applications. Utilizing the vulnerabilities it is capable to take control over the attacked computer.

To help its distribution Win32/Mytob.AX worm utilizes the vulnerability known as Microsoft MS04-011 .

The buffer overflow error in the LSASS.EXE (Local Security Authority Subsystem Service) program enables the remote running of code in the affected systems, thus the attacker can take a remote control over the computer.

Attacks on the Internet

Viruses and worms can attack other computers on the Internet and disable their use.

The worm modifies the hosts file making the following web pages unreachable:

  • more...


Viruses and worms more and more frequently open backdoors on the attacked computer. Thus the attacker can take full control over the machine. In this case the attacker can do whatever s/he wants on the computer: run or stop programs and applications, upload or download files, steal passwords and access codes.

Win32/Mytob.AX worm opens a backdoor on TCP port number 445 .

A tool to open the backdoor of the attacked machine can be the installation of an IRC client. Via this IRC connection the attacker can control the computer remotely. It is also possible to send the code of the malware via the IRC connection.

Win32/Mytob.AX worm tries to connect to the IRC server and to #m-rl4 channel.

The first target of viruses and worms on the attacked computer is the shared folders. Thus they can spread on the local area networks as well as on peer-to-peer (P2P) connections. It is possible also to try to establish connections to other shared folders not only on LAN.

It uses passwords from the following list:

  • Cisco
  • ROOT
  • Root
  • oeminstall
  • more...