W32/Mytob.LP is an email worm. This worm is a variant of W32/Mytob. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Members Support
Security measures
Important Notification
Email Account Suspension
Your Account is Suspended
Notice of account limitation
*DETECTED* Online User Violation
Your new account password is approved
Your password has been successfully updated
You have successfully updated your password
YOUR ACCOUNT IS SUSPENDED FOR SECURITY REASONS
Warning Message: Your services near to be closed.Your password has been successfully updated

The body of the infected mail will be any one of the following;

Dear [domain name] Member,

We have temporarily suspended your email account [email address].

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.See the details to reactivate your [domain name] account.

Sincerely,The [domain name] Support Team

+++ Attachment: No Virus (Clean)
+++ [domain name ] Antivirus - www.[domain name].com


Dear [domain name] Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,
The [domain name] Support Team

+++ Attachment: No Virus (Clean)
+++ [domain name] Antivirus - www.[domain name].com


Dear user [name of recipient],

It has come to our attention that your [domain name] User Profile ( x ) records are out of date. For further details see the attached document.

Thank you for using [domain name]!

The [domain name] Support Team

+++ Attachment: No Virus (Clean)
+++ [domain name] Antivirus - www.[domain name].com


Dear user [name of recipient],

You have successfully updated the password of your [domain name] account.

If you did not authorize this change or if you need assistance with your account, please contact [domain name] customer service at: [mail@domain name]

Thank you for using [domain name]!

The [domain name] Support Team

+++ Attachment: No Virus (Clean)
+++ [antivirus name] Antivirus - www.[domain name].com

The infected attachment will be any one of the following;

readme
password
document
account-info
email-details
account-report
new-password
account-details
email-password
important-details
account-password
updated-password
accepted-password
approved-password

The extension of the infected attachment will be any one of the following;

bat, cmd, exe, pif, zip or scr

Upon execution of the infected attachment, the worm copies itself as D.EXE in the Windows System folder.

The worm modifies registry at the following location to load itself during each startup

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

To propagate itself, the worm collects all the available email addresses from the Windows Address Book (WAB) of the infected system.

It can also generate email address by adding the following name to the domain name gathered from previously collected email addresses.

andrew, steve, brenda, smith, brent, sandra, brian, sales, claudia, robert, david, peter, debby, michael, frank, maria, george, linda, helen, kevin, james, julie, jerry and jimmy.

The worm mails itself to these addresses using its own SMTP engine.

The worm also has the backdoor capabilities. It connects to the Internet Relay Chat (IRC) server. After the connection is established, it joins an IRC channel and listens for commands coming from a remote malicious user.

It also modifies the HOSTS file.

The worm also tries to terminate some of the security related processes and prevents access to some of the security related websites

This worm first appeared on October 15, 2005.

 Other names of W32/Mytob.LP Worm:

This Worm is also known as WORM_MYTOB.LP.