From; Sophos Alert System: Name: W32/Mytob-CU Type: Win32 worm Date: 2 June 2005 Sophos has issued protection for W32/Mytob-CU. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Mytob-CU can be found at: http://www.sophos.com/virusinfo/analyses/w32mytobcu.html W32/Mytob-CU is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network. When first run W32/Mytob-CU copies itself to the Windows system folder as xxx.exe and creates the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WINDOWS SYSTEM "xxx.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices WINDOWS SYSTEM "xxx.exe" W32/Mytob-CU also appends the following to the HOSTS file to deny access to security related websites: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.trendmicro.com W32/Mytob-CU is capable of spreading through email and through various operating system vulnerabilities such as LSASS (MS04-011). Email sent by W32/Mytob-CU has the following properties: Subject line: Notice: **Last Warning** *DETECTED* Online User Violation Your Email Account is Suspended For Security Reasons Account Alert Important Notification *WARNING* Your Email Account Will Be Closed Security measures Email Account Suspension Notice of account limitation Message text: Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. The original message has been included as an attachment. We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. We attached some important information regarding your account. Please read the attached document and follow it's instructions. The attached file consists of a base name followed by the extentions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP. The base filenames are randomly chosen from: email-info email-doc information account-details document instructions info-texg information W32/Mytob-CU harvests email addresses from files on the infected computer and from the Windows address book. The worm avoids sending email to addresses that contain the following: michael george andrew robert brenda claudia icrosof hotmail borlan inpris example mydomai nodomai ruslis berkeley ibm.com google kernel usenet rfc-ed sendmail acketst tanford.e utgers.ed mozilla be_loyal: samples postmaster webmaster nobody nothing anyone someone rating contact somebody privacy service submit gold-certs the.bat icrosoft support listserv certific google accoun administrator service register The W32/Mytob-CU virus identity file (IDE) includes detection for: Troj/PWSjx-A http://www.sophos.com/virusinfo/analyses/trojpwsjxa.html W32/Sdbot-YZ http://www.sophos.com/virusinfo/analyses/w32sdbotyz.html Troj/Warspy-H http://www.sophos.com/virusinfo/analyses/trojwarspyh.html Troj/Olfeb-A http://www.sophos.com/virusinfo/analyses/trojolfeba.html Troj/Netdeny-A http://www.sophos.com/virusinfo/analyses/trojnetdenya.html W32/Antiman-D http://www.sophos.com/virusinfo/analyses/w32antimand.html W32/Rbot-ADY http://www.sophos.com/virusinfo/analyses/w32rbotady.html W32/Rbot-AEC http://www.sophos.com/virusinfo/analyses/w32rbotaec.html W32/Rbot-AED http://www.sophos.com/virusinfo/analyses/w32rbotaed.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Mytob-CU from: http://www.sophos.com/downloads/ide/mytob-cu.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member