[virusinfo] W32/Mytob-CU

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Wed, 01 Jun 2005 18:33:05 -0700

From; Sophos Alert System:

Name: W32/Mytob-CU
Type: Win32 worm
Date: 2 June 2005

Sophos has issued protection for W32/Mytob-CU.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Mytob-CU can be found at:
http://www.sophos.com/virusinfo/analyses/w32mytobcu.html

W32/Mytob-CU is a mass-mailing worm and backdoor Trojan that can be controlled 
through the Internet Relay Chat (IRC) network. 
When first run W32/Mytob-CU copies itself to the Windows system folder as 
xxx.exe and creates the following registry entries: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
"xxx.exe" 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
"xxx.exe" 
W32/Mytob-CU also appends the following to the HOSTS file to deny access to 
security related websites: 
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com 
W32/Mytob-CU is capable of spreading through email and through various 
operating system vulnerabilities such as LSASS (MS04-011). Email sent by 
W32/Mytob-CU has the following properties: 
Subject line: 
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Security measures
Email Account Suspension
Notice of account limitation 
Message text: 
Once you have completed the form in the attached file , your account records 
will not be interrupted and will continue as normal.
The original message has been included as an attachment.
We regret to inform you that your account has been suspended due to the 
violation of our site policy, more info is attached.
We attached some important information regarding your account.
Please read the attached document and follow it's instructions. 
The attached file consists of a base name followed by the extentions PIF, SCR, 
EXE or ZIP. The worm may optionally create double extensions where the first 
extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP. 
The base filenames are randomly chosen from: 
email-info
email-doc
information
account-details
document
instructions
info-texg
information 
W32/Mytob-CU harvests email addresses from files on the infected computer and 
from the Windows address book. The worm avoids sending email to addresses that 
contain the following: 
michael
george
andrew
robert
brenda
claudia
icrosof
hotmail
borlan
inpris
example
mydomai
nodomai
ruslis
berkeley
ibm.com
google
kernel
usenet
rfc-ed
sendmail
acketst
tanford.e
utgers.ed
mozilla
be_loyal:
samples
postmaster
webmaster
nobody
nothing
anyone
someone
rating
contact
somebody
privacy
service
submit
gold-certs
the.bat
icrosoft
support
listserv
certific
google
accoun
administrator
service
register 

The W32/Mytob-CU virus identity file (IDE) includes detection for:


Troj/PWSjx-A
http://www.sophos.com/virusinfo/analyses/trojpwsjxa.html
W32/Sdbot-YZ
http://www.sophos.com/virusinfo/analyses/w32sdbotyz.html
Troj/Warspy-H
http://www.sophos.com/virusinfo/analyses/trojwarspyh.html
Troj/Olfeb-A
http://www.sophos.com/virusinfo/analyses/trojolfeba.html
Troj/Netdeny-A
http://www.sophos.com/virusinfo/analyses/trojnetdenya.html
W32/Antiman-D
http://www.sophos.com/virusinfo/analyses/w32antimand.html
W32/Rbot-ADY
http://www.sophos.com/virusinfo/analyses/w32rbotady.html
W32/Rbot-AEC
http://www.sophos.com/virusinfo/analyses/w32rbotaec.html
W32/Rbot-AED
http://www.sophos.com/virusinfo/analyses/w32rbotaed.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Mytob-CU from:

http://www.sophos.com/downloads/ide/mytob-cu.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Mytob-CU

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---