W32/Spybot-DO is a worm that spreads through network shares and backdoors left open by other worms and Trojans. W32/Spybot-DO has backdoor capabilities.
W32/Spybot-DO monitors running processes and terminates regedit.exe, taskmgr.exe, msconfig.exe and netstat.exe if found running.
The worm then adds an entry in win.ini of the remote computer and also schedules a remote job to run the remote copy of the worm.
The worm logs on to a predefined IRC server to wait for backdoor commands.
Sorry, the May 20, 2005 thread was actually May 19, 2005 - now it is REALLY May 20, 2005 oops, can happen
W32/Mytob-CK is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.
W32/Mytob-CK may drop a file called hellmsn.exe (detected by Sophos as W32/Mytob-D) in the same location. This component attempts to spread the worm by sending the aforementioned SCR files through Windows Messenger to all online contacts.
W32/Mytob-CK is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011).
The following patch for the operating system vulnerability exploited by W32/Mytob-CK can be obtained from the Microsoft website:
LSASS (MS04-011) security vulnerability
W32/Mytob-CK is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011). Email sent by W32/Mytob-CK has the following properties:
Mail Delivery System
Mail Transaction Failed
'Here are your banks documents.'
'The original message was included as an attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
'The message contains Unicode characters and has been sent as a binary attachment.'
'Mail transaction failed. Partial message is available.'
The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP.