[virusinfo] W32/Mytob-AT

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Sun, 12 Jun 2005 08:28:42 -0700

From; Sophos Alert System:

Name: W32/Mytob-AT
Aliases: W32/Mytob.FI@mm, W32/Mytob.cg@MM, Net-Worm.Win32.Mytob.bi
Type: Win32 worm
Date: 12 June 2005

Sophos has issued protection for W32/Mytob-AT.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Mytob-AT can be found at:
http://www.sophos.com/virusinfo/analyses/w32mytobat.html

W32/Mytob-AT is a mass-mailing worm and IRC backdoor Trojan. 
W32/Mytob-AT runs continuously in the background, providing a backdoor server 
which allows a remote intruder to gain access and control over the computer via 
IRC channels. 
When first run W32/Mytob-AT copies itself to <System>\External.exe. 
The following registry entries are created to run External.exe on startup: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
External Dependencies
External.exe 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
External Dependencies
External.exe 
W32/Mytob-AT sets the following registry entries, disabling the automatic 
startup of other software: 
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4 
W32/Mytob-AT can spread by sending itself as an email attachment to email 
addresses harvested from the infected computer. W32/Mytob-AT spoofs the 
sender's email address so that the sent email appears to be from the same 
domain from one of the following users: 
admin
administrator
info
mail
register
service
support
webmaster 
For example if sending itself to name@xxxxxxxxxxx, W32/Mytob-AT might send the 
email as if from admin@xxxxxxxxxxxx 
Emails sent by the worm have characteristics from the following: 
Subject lines: 
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation 
or random characters 
Message text - one of the following: 
The worm will insert the user name and the email domain of the adresssee into 
the email. 
Dear user <UserName>, 
You have successfully updated the password of your <domain> account. 
If you did not authorize this change or if you need assistance with your 
account, please contact <domain> customer service at: <sender@domain>
Thank you for using <domain>!
The <domaim> Support Team 
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain> 
Dear user <UserName>, 
It has come to our attention that your <domain> User Profile ( x ) records are 
out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team 
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain> 
Dear <domain> Member, 
We have temporarily suspended your email account <UserEmailAddress>. 
This might be due to either of the following reasons: 
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due 
to an internal error within our processors.
See the details to reactivate your <domain> account. 
Sincerely,The <domain> Support Team 
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain> 
Dear <domain> Member, 
Your e-mail account was used to send a huge amount of unsolicited spam messages 
during the recent week. If you could please take 5-10 minutes out of your 
online experience and confirm the attached document so you will not run into 
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your 
membership. 
Virtually yours,
The <domain> Support Team 
+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain> 
Attachment name: 
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report 
or random characters 
File extension: 
pif
scr
exe
cmd
bat
zip 
The zip file will contain the worm with double extension. The first extension 
will be one of doc, htm, txt followed by spaces and the second extension is 
exe, scr or pif. 
W32/Mytob-AT attempts to terminate a large number of processes related to 
security and anti-virus programs. 
W32/Mytob-AT also modifies the Windows hosts file in order to block access to 
the following websites: 
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com 
 

The W32/Mytob-AT virus identity file (IDE) includes detection for:


Troj/Agent-DY
http://www.sophos.com/virusinfo/analyses/trojagentdy.html
Troj/Agent-DZ
http://www.sophos.com/virusinfo/analyses/trojagentdz.html
W32/Rbot-AFI
http://www.sophos.com/virusinfo/analyses/w32rbotafi.html
W32/Rbot-AFK
http://www.sophos.com/virusinfo/analyses/w32rbotafk.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Mytob-AT from:

http://www.sophos.com/downloads/ide/mytob-at.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html





---------------------------------------------------------------------
To unsubscribe, email: notification-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, email: notification-faq@xxxxxxxxxxxxxxxx

Other related posts:

• » [virusinfo] W32/Mytob-AT

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---