| Mytob.KU is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. Mytob.KU is compressed using the executable packer and its file size is 31,500 bytes. It uses the network connection:|
- Looks for an Internet connection.
- Connects to "yahoo.no" on port 25 (TCP).
- Connects SMTP server.
Mytob.KU drops the following files on the hard drive:
It also changes Windows registry:
- C:\WINDOWS\TEMP\tmp8129.tmp (31770 bytes)
- C:\WINDOWS\TEMP\tmp1743.tmp (31766 bytes)
- C:\WINDOWS\TEMP\tmp8629.tmp (31780 bytes)
It creates the following mutex to ensure only one instance is running: H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H. It also is executed every time Windows starts, attempts to acquire the "SeDebugPrivilege" privileges, monitors the list of running processes.
- Creates value "default"="" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
- Sets value "default"="" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
- Sets value "Start"="\x04" in key "HKLM\System\CurrentControlSet\Services\SharedAccess".