Net-Worm.Win32.Mytob.y

Aliases: Exploit-Lsass.g.gen [McAfee], W32.Mytob.AK@mm [Symantec], WORM_MYTOB.AK [Trend Micro]

Type: Worm

Systems Affected: Windows98, Windows 2000, Windows 2003, Windows XP, Windows Vista

Overview:Net-Worm.Win32.Mytob.y spreads via the Internet as an attachment to infected emails, and sends itself to other computer's email addresses.

Symptoms of Net-Worm.Win32.Mytob.y:

1. Once launched, the worm would be copy itself as the following:
[system driver]\windows\system32\msmgrxp.exe

2. Automatic creates files:
C:\funny_pic.scr
C:\see_this!!.scr
C:\my_photo2005.scr

3. Automatic registers itself in the system registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]
[HKEY_CURRENT_USER\Software\Microsoft\OLE]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
[HKEY_LOCAL_MACHINE\Software\Microsoft\OLE]
"WINTASK"="msmgrxp.exe"

4. Automatic creates file: C:\hellmsn.exe

Related trojan:Mytob, ZlobDldr, TrojanSpy.Win32.Keylogger, Darkmoon

Remove Net-Worm.Win32.Mytob.y:

1. Click Start > Run, type "regedit", click Ok.

2. Navigate to the subkeys:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]
[HKEY_CURRENT_USER\Software\Microsoft\OLE]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
[HKEY_LOCAL_MACHINE\Software\Microsoft\OLE]

3. In the right pane, delete the value:
"WINTASK" = "msmgrxp.exe"

4. Close Registry Editor.

5. You can also use antivirus software to remove the worm quickly:
Kaspersky Internet Security 2009