W32/Mytob.DP is an email worm. The worm will infect Windows systems and spreads through email.

The 'From' address of the infected email will be any one of the following;

info
mail
admin
service
support
register
webmaster
administrator

The 'Subject' of the infected mail will be any one of the following;

Members Support
Security measures
Important Notification
Email Account Suspension
Your Account is Suspended
Notice of account limitation
Your password has been updated
*DETECTED* Online User Violation
Your new account password is approved
Your password has been successfully updated
You have successfully updated your password
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.

The body of the infected mail will be any one of the following;

Dear user (random),

You have successfully updated the password of your (random) account.
If you did not authorize this change or if you need assistance with your account, please contact (random) customer service at: (random)

Thank you for using (random)!
The (random) Support Team

+++ Attachment: No Virus (Clean)
(random) Antivirus - (random URL)

Dear user (random),

It has come to our attention that your (random) User Profile ((random)) records are out of date. For further details see the attached document.

Thank you for using (random)!
The (random) Support Team

+++ Attachment: No Virus (Clean)
+++ (random) Antivirus - (random URL)

Dear (random) Member,

We have temporarily suspended your email account (random).
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your (random) account.

Sincerely,
The (random) Support Team

+++ Attachment: No Virus (Clean)
+++ (random) Antivirus - (random URL)

Dear (random) Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,
The (random) Support Team

+++ Attachment: No Virus found
+++ (random) Antivirus - (random URL)

The name of the infected attachment will be any one of the following;

readme.zip
(random).zip
document.zip
password.zip
account-info.zip
email-details.zip
new-password.zip
account-report.zip
account-details.zip
email-password.zip
important-details.zip
account-password.zip
accepted-password.zip
approved-password.zip
(random) updated-password.zip

Upon execution of the infected attachment, the worm copies itself as MSWINS.EXE in the Windows system folder

It alters the windows registry at the following location to load itself during next startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

To propagate itself, the worm scans the files present in the Windows Address Book (WAB), Temporary Internet Files folder and the files having the following extensions to collect all the available email addresses from the infected system.

.adbh, .aspd, .cgil, .dbxn, .htmb, .html, .jspl, .phpq, .pl, .shtl, .tbbg, .txt, .wab, .xmls

The worm mails itself to these addresses using its own SMTP engine.

The worm also has backdoor capabilities that connect to IRC Internet Relay Chat server irc.powerirc.net using TCP port 6667. It joins the channel #ccpower and listens for the following commands coming from a remote user, which this worm executes on the affected computer:

Delete files
Execute files
Download files
Terminate processes
Update copy of itself
Get system information

The worm alters the hosts file to deny the access to few antivirus websites. It also terminates some of the security related processes.

This worm first appeared on July 25, 2006.

 Other names of W32/Mytob.DP Worm:

This Worm is also known as WORM_MYTOB.DP .