SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Mytob.KU
Mytob.KU is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. Mytob.KU is compressed using the executable packer and its file size is 31,500 bytes. It uses the network connection:
  • Looks for an Internet connection.
  • Connects to "yahoo.no" on port 25 (TCP).
  • Connects SMTP server.

Mytob.KU drops the following files on the hard drive:

  • C:\WINDOWS\TEMP\tmp8129.tmp (31770 bytes)
  • C:\WINDOWS\TEMP\tmp1743.tmp (31766 bytes)
  • C:\WINDOWS\TEMP\tmp8629.tmp (31780 bytes)
It also changes Windows registry:
  • Creates value "default"="" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
  • Sets value "default"="" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
  • Sets value "Start"="\x04" in key "HKLM\System\CurrentControlSet\Services\SharedAccess".
It creates the following mutex to ensure only one instance is running: H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H. It also is executed every time Windows starts, attempts to acquire the "SeDebugPrivilege" privileges, monitors the list of running processes.


Relevant Information