[virusinfo] W32/Mytob-BD

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 06 Jun 2005 20:18:28 -0700

From; Sophos Alert System:

Name: W32/Mytob-BD
Aliases: Net-Worm.Win32.Mytob.bd
Type: Win32 worm
Date: 7 June 2005

Sophos has issued protection for W32/Mytob-BD.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Mytob-BD can be found at:
http://www.sophos.com/virusinfo/analyses/w32mytobbd.html

W32/Mytob-BD is a mass-mailing worm and backdoor Trojan that can be controlled 
through the Internet Relay Chat (IRC) network. 
When first run W32/Mytob-BD copies itself to the Windows system folder as 
test2.exe and creates the following registry entries: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
test2.exe 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
test2.exe 
W32/Mytob-BD also disables the Windows XP firewall by changing the following 
default registry entry from: 
from:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
00000003 
to:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
00000004 
W32/Mytob-BD terminates system and anti-virus related processes including 
CMD.EXE, TASKMON.EXE and REGEDIT.EXE. 
W32/Mytob-BD also appends the following mappings to the HOSTS file to deny 
access to trading, financial and security related websites: 
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com 
Emails sent by W32/Mytob-BD have the following properties: 
Subject lines chosen from: 
'Notice: **Last Warning**'
'*IMPORTANT* Please Validate Your Account'
'Account Alert'
'Important Notification'
'*IMPORTANT* Please Confirm Your Account'
'Security measures'
'Notice of account limitation' 
Message text is of the following format: 
'Dear Valued Member, 
According to our site policy you will have to confirm your account by the 
following link or else your account will be suspended within 24 hours for 
security reasons. 
http://www.<domain name>/confirm.php?email=<email address> 
Thank you for your attention to this question. We apologize for any 
inconvenience. 
Sincerely, <company name> Security Department Assistant.' 
The URL link is faked and points to a remote website containing a sample of 
W32/Mytob-BD. When the link is clicked, a sample of W32/Mytob-BD is downloaded 
and executed. 
W32/Mytob-BD harvests email addresses from files on the infected computer and 
from the Windows address book as well as the Microsoft Internet Account 
Manager. 
W32/Mytob-BD may also attempt to download files from the Internet and steal 
system information. 

The W32/Mytob-BD virus identity file (IDE) includes detection for:


W32/Mytob-DA
http://www.sophos.com/virusinfo/analyses/w32mytobda.html
W32/Mytob-T
http://www.sophos.com/virusinfo/analyses/w32mytobt.html
W32/Dabyrev-A
http://www.sophos.com/virusinfo/analyses/w32dabyreva.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Mytob-BD from:

http://www.sophos.com/downloads/ide/mytob-bd.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Mytob-BD

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---