Remove mytob.mr - Spyware Removal Information

More than 1309737 spyware signatures and growing

Spywarelib Search

Search in:

Spywares

Files

Md5

Registry

Worm-Net.mytob.mr Analysis Report

Threat Submitted On: 8/12/2008 7:48:23 PM

Threat Analysed On: 8/13/2008 12:48:23 AM

Threat Updated On: 11/16/2009 9:04:28 AM

Type : Worm-Net

Symptoms of mytob.mr

Copies itself to other computers of the same LAN thereby infecting the whole LAN.
Copies its files to all the possible shared resources of the network.
Modifies the SYSTEM.INI and WIN.INI files and can even make itself execute at start-up.

Removal Recommended (Click here to remove automatically)

Removal Recommended

Information

Alias : net-worm.win32.mytob.mr

Md5 Hash : [93bcdf4782a17ccac4d3b5d0b0f12994]

File Size : (1482752 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System

Note:

Delete the following Files to remove Infection

File: msgres.dll
Path : %windir%\system32
Md5Hash :f155d8a15f5cd738469ea3a50ac0fbbd ( 180738 bytes)

File: [randomname].exe
Path : %workingdir%
Md5Hash :93bcdf4782a17ccac4d3b5d0b0f12994 ( 1482752 bytes)

Also creates the following files on user's System which are also created by Genuine Software :-

Note:

These file(s) can be kept as they are also created by genuine Software.

File : hosts
Path : %windir%\system32\drivers\etc
Md5Hash :bef86d5ae738378376c0371dfb0e1d9e ( 2059 bytes)

Creates the following infected Registry Keys on user's System

Note:

Delete these Registries to remove Infection

HKEY_CLASSES_ROOT\CLSID\{D9AD08E4-EBC1-498E-B3AA-5914DFD7E225}\InProcServer32

The following Registry Values are added to the provided Registry Keys :-

Note:

Delete the added Values from the Key to remove Infection

Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

|__ Value Added :

windows system = "test.exe"

Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

|__ Value Added :

windows system = "test.exe"

Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

|__ Value Added :

windowsdefender = "{d9ad08e4-ebc1-498e-b3aa-5914dfd7e225}"

Also creates the following legitmate Registries on user's Systems which are also created by Genuine Software :-

Note:

These Keys can be kept as they are also created by genuine Software

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Creates the following child process(s) on execution:

\??\%windir%\system32\csrss.exe

services.exe

Creates the Following MUTEX(s) on user's System:-

define-is-funny-but-doesnt-work-offcourse-doh-its-so-you-odnt-run-in-debug-mode-naab

NOTE:

1. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
2. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.