From; Sophos Alert System: Name: W32/Mytob-BD Aliases: Net-Worm.Win32.Mytob.bd Type: Win32 worm Date: 7 June 2005 Sophos has issued protection for W32/Mytob-BD. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Mytob-BD can be found at: http://www.sophos.com/virusinfo/analyses/w32mytobbd.html W32/Mytob-BD is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network. When first run W32/Mytob-BD copies itself to the Windows system folder as test2.exe and creates the following registry entries: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices WINDOWS SYSTEM test2.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WINDOWS SYSTEM test2.exe W32/Mytob-BD also disables the Windows XP firewall by changing the following default registry entry from: from: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 00000003 to: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 00000004 W32/Mytob-BD terminates system and anti-virus related processes including CMD.EXE, TASKMON.EXE and REGEDIT.EXE. W32/Mytob-BD also appends the following mappings to the HOSTS file to deny access to trading, financial and security related websites: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.grisoft.com 127.0.0.1 www.microsoft.com 127.0.0.1 microsoft.com 127.0.0.1 www.virustotal.com 127.0.0.1 virustotal.com 127.0.0.1 www.amazon.com 127.0.0.1 www.amazon.co.uk 127.0.0.1 www.amazon.ca 127.0.0.1 www.paypal.com 127.0.0.1 paypal.com 127.0.0.1 moneybookers.com 127.0.0.1 www.moneybookers.com 127.0.0.1 www.ebay.com 127.0.0.1 ebay.com Emails sent by W32/Mytob-BD have the following properties: Subject lines chosen from: 'Notice: **Last Warning**' '*IMPORTANT* Please Validate Your Account' 'Account Alert' 'Important Notification' '*IMPORTANT* Please Confirm Your Account' 'Security measures' 'Notice of account limitation' Message text is of the following format: 'Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. http://www.<domain name>/confirm.php?email=<email address> Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, <company name> Security Department Assistant.' The URL link is faked and points to a remote website containing a sample of W32/Mytob-BD. When the link is clicked, a sample of W32/Mytob-BD is downloaded and executed. W32/Mytob-BD harvests email addresses from files on the infected computer and from the Windows address book as well as the Microsoft Internet Account Manager. W32/Mytob-BD may also attempt to download files from the Internet and steal system information. The W32/Mytob-BD virus identity file (IDE) includes detection for: W32/Mytob-DA http://www.sophos.com/virusinfo/analyses/w32mytobda.html W32/Mytob-T http://www.sophos.com/virusinfo/analyses/w32mytobt.html W32/Dabyrev-A http://www.sophos.com/virusinfo/analyses/w32dabyreva.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Mytob-BD from: http://www.sophos.com/downloads/ide/mytob-bd.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member