W32.Mytob.M@mm is a mass-mailing worm with back door capabilities. The worm uses its own SMTP engine to send email to addresses that it gathers from the compromised computer. The worm also spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow, as described in Microsoft Security Bulletin MS04-011
EMAIL MESSAGES TO BLOCK OR AVOID
Subject: One of the following:
Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
[No Subject]
[random letters]
Message: One of the following:
Here are your banks documents.
The original message was included as an attachments.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
[Random data]
Attachment: One of the following:
document
readme
doc
text
file
data
test
message
body
[random letters]
with one of the following extensions:
.bat
.cmd
.exe
.pif
.scr
.zip