Some security vendors have issued alerts for W32/Mytob.bi@MM, a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The virus arrives in an email message with an attachment.

When the attachment is run, the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as Lien Van de Kelder.exe.

The Hosts file (typically found in C:\Windows\System32\Drivers\etc\) is also appended to direct several security websites to the local host, so they cannot be accessed. This file is detected and cleaned as Qhosts.apd.


Registry keys are created to load the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices "http://www.lienvandekelder.be" = Lien Van de Kelder.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "http://www.lienvandekelder.be" = Lien Van de Kelder.exe

    Additional the following value is set:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start" = 4

    More information can be found at this McAfee page.

    According to Trend Micro, which also issued an alert, similar to other MYTOB variants, Worm_Mytob.BI propagates by sending a copy of itself as an attachment (file size is around 29,868 to 29,882 bytes) to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

    It gathers target email addresses from the Temporary Internet files folder, Windows Address Book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

    This worm also takes advantage of the LSASS vulnerability to propagate. For more information about the said vulnerability, please refer to the following Microsoft Web page:

    Microsoft Security Bulletin MS04-011

    This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.

    Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine. It also terminates several processes.

    This worm also downloads a file, which Trend Micro detects as TSPY_AGENT.H. This downloaded file then drops an adware Trend Micro detects as ADW_MEDTICKS.A.

    More information can be found at this Trend Micro page.