Upon execution, Worm_Mytob.ER drops a copy of itself in the Windows system folder as the file SKY.EXE.

It propagates by sending a copy of itself as an attachment to email messages, which it then sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine.

This worm has backdoor capabilities, which enable it to connect to the Internet Relay Chat (IRC) server irc.blackcarder.net. Once a connection is established, it joins the IRC channel #skyline, where it listens for commands coming from a remote malicious user.


It terminates processes, which are related to antivirus and security applications. It also prevents access to a list of antivirus sites.

More information can be found at this Trend Micro page.