[virusinfo] W32/Mytob-AJ

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Fri, 03 Jun 2005 13:51:30 -0700

From; Sophos Alert System:

Name: W32/Mytob-AJ
Type: Win32 worm
Date: 3 June 2005

Sophos has issued protection for W32/Mytob-AJ.

At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Note: The IDE issued for W32/Mytob-AJ at 03:34 GMT on 26 April
also contained detection for Troj/SDBot-06, W32/Rbot-ABE,
W32/Rbot-ABF, Troj/Vixdl-A, Troj/Dumaru-BE and Troj/Dloader-MS.
This IDE has now been updated to enhance detection of
Troj/Dumaru-BE.



Information about W32/Mytob-AJ can be found at:
http://www.sophos.com/virusinfo/analyses/w32mytobaj.html

W32/Mytob-AJ is a mass-mailing worm and backdoor Trojan that targets users of 
Internet Relay Chat programs. 
When first run the worm copies itself to the Windows system folder as 
taskgmr.exe and creates the following registry entries so as to run itself on 
user logon: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Task Manager
taskgmr.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Task Manager
taskgmr.exe 
W32/Mytob-AJ is capable of spreading through various operating system 
vulnerabilities such as LSASS (MS04-011). 
The worm also appends the following mappings to the HOSTS file to deny access 
to anti-virus and security-related websites and also adds in a signature line 
at the end of the file: 
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
-=Copyright (C) 2005-2006 HellBot3 Team All Rights Reserved.=- 
W32/Mytob-AJ harvests email addresses from files found on the infected computer 
and from the Windows address book. 
Emails sent by W32/Mytob-AJ have the following characteristics: 
Subject line: chosen from 
read it immediately
Hello
Congratulations!
Re: Approved document
Re: Your document
Re: Administration
approved
Is that your password?
It's you!?
Bonjour 
From: chosen from 
contact@xxxxxxxxxxxxx
postmaster@xxxxxxx
support@xxxxxxxxx
admin@xxxxxxx
contact@xxxxxxx
contact@xxxxxxx
contact@xxxxxxxxxxxx 
Message text: chosen from 
I have attached your informations.
The original message was included as an attachment.
Your document is attached.
The message contains Unicode characters and has been sent as a binary 
attachment.
For more details see the attachment. 
Attached file: chosen from 
document
details
data
important information
your_doc
message
body 
Attached file extension: chosen from 
pif
scr
exe
cmd
bat
zip 
The worm can also spread by mailing itself as a file attachment using the 
filename isyq.scr. 
For instances where W32/Mytob-AJ sends itself as a zip archives, the worm may 
optionally create extensions where the first extension is DOC, TXT or HTM and 
the final extension is PIF, SCR, EXE or ZIP. 
The worm also may attempt to access or setup listening ports on ports 15 and 
256. 
The following patches for the operating system vulnerabilities exploited by 
W32/Mytob-AJ can be obtained from the Microsoft website: 
MS04-011 

The W32/Mytob-AJ virus identity file (IDE) includes detection for:


Troj/SDBot-06
http://www.sophos.com/virusinfo/analyses/trojsdbot06.html
W32/Rbot-ABE
http://www.sophos.com/virusinfo/analyses/w32rbotabe.html
W32/Rbot-ABF
http://www.sophos.com/virusinfo/analyses/w32rbotabf.html
Troj/Vixdl-A
http://www.sophos.com/virusinfo/analyses/trojvixdla.html
Troj/Dumaru-BE
http://www.sophos.com/virusinfo/analyses/trojdumarube.html
Troj/Dloader-MS
http://www.sophos.com/virusinfo/analyses/trojdloaderms.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Mytob-AJ from:

http://www.sophos.com/downloads/ide/mytob-aj.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Mytob-AJ
• » [virusinfo] W32/Mytob-AJ
• » [virusinfo] W32/Mytob-AJ

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---