W32/Mytob-CJ is a member of the W32/Mytob family of email worms.
Once installed, W32/Mytob-CJ attempts to logon to remote IRC servers and open a backdoor to allow remote commands to be executed. W32/Mytob-CJ also tries to download files from a remote website and run them.
W32/Mytob-CJ also terminates anti-virus and system related processes.
W32/Mytob-CJ also modifies the HOSTS file to deny access to anti-virus and security related websites.
W32/Mytob-CJ will harvest email addresses and server related information from the Windows Address Book and the Microsoft Internet Account Manager. Email messages sent by W32/Mytob-CJ has the following characteristics:
Subject line chosen from:
'Notice: **Last Warning**'
'Your email account access is restricted'
'Your Email Account is Suspended For Security Reasons'
'Notice:***Your email account will be suspended***'
'Email Account Suspension'
'*IMPORTANT* Please Validate Your Email Account'
'*IMPORTANT* Your Account Has Been Locked'
'*WARNING* Your Email Account Will Be Closed'
Message text chosen from:
'Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.'
'To unblock your email account acces, please see the attachment.'
'Follow the instructions in the attachment.'
'We have suspended some of your email services, to resolve the problem you should read the attached document.'
'To safeguard your email account from possible termination, please see the attached file.'
'please look at attached document.'
'Account Information Are Attached!'
Attached filenames chosen from:
The attached file consists of any of the abovementioned base names followed by the extentions PIF, SCR, EXE, CMD, BAT or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE, CMD, BAT or ZIP.