From; Sophos Alert System: Name: W32/Mytob-AP Type: Win32 worm Date: 8 June 2005 Sophos has issued protection for W32/Mytob-AP. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Mytob-AP can be found at: http://www.sophos.com/virusinfo/analyses/w32mytobap.html W32/Mytob-AP is a mass-mailing worm and IRC backdoor Trojan. W32/Mytob-AP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels, including the ability to download and execute files on the infected computer. W32/Mytob-AP can spread by sending itself as an email attachment to email addresses it harvests from the infected computer, either as an attachment with a double-extension or as a zip file containing a file with a double-extension. W32/Mytob-AP avoids sending emails to addresses containing certain strings in them. W32/Mytob-AP processes the emails it has harvested by splitting them into name and domain. Once it has sent itself to the emails it has harvested, it uses a predefined list of names with the harvested domains. W32/Mytob-AP spoofs the sender, sending emails as if from one of the following at the same domain as the recipient: support administrator mail service admin info register webmaster For example if sending itself to name@xxxxxxxxxxx, W32/Mytob-AP might send the email as if from admin@xxxxxxxxxxxx Emails sent by the worm have characteristics from the following: Subject line: Notice: **Last Warning** *DETECTED* Online User Violation Your Email Account is Suspended For Security Reasons Account Alert Important Notification *WARNING* Your Email Account Will Be Closed Security measures Email Account Suspension Notice of account limitation Message body - one of the following or a garbled message: Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. The original message has been included as an attachment. We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. We attached some important information regarding your account. Please read the attached document and follow it's instructions. Attachment name: email-info email-doc information account-details document INFO instructions info-text information First extension (of attachment or of file inside zip): doc htm txt Second extension (of attachment or of file inside zip): pif scr exe cmd bat If the attachment is a zip file it will have the same base name as the double-extension file inside. Example attachment names include document.txt.pif and information.doc.cmd, usually with a large number of spaces between the extensions. W32/Mytob-AP copies itself to the Window system folder with the filename "Lien Van de Kelder.exe" and sets the following registry entries to run itself on system startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ http://www.lienvandekelder.be = "Lien Van de Kelder.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ http://www.lienvandekelder.be = "Lien Van de Kelder.exe" W32/Mytob-AP sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 W32/Mytob-AP attempts to terminate a large number of processes related to security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE and NETSTAT.EXE. W32/Mytob-AP modifies the Windows hosts file in order to block access to the following security-related websites: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 www.lycos-vds.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.grisoft.com 127.0.0.1 www.microsoft.com 127.0.0.1 microsoft.com 127.0.0.1 www.msn.com 127.0.0.1 www.virustotal.com 127.0.0.1 virustotal.com 127.0.0.1 www.oxyd.fr 127.0.0.1 oxyd.fr 127.0.0.1 www.t35.com 127.0.0.1 t35.com 127.0.0.1 www.t35.net 127.0.0.1 t35.net Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Mytob-AP from: http://www.sophos.com/downloads/ide/mytob-ap.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member