[virusinfo] W32/Mytob-CZ

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Wed, 01 Jun 2005 13:49:05 -0700

From; Sophos Alert System:

Name: W32/Mytob-CZ
Type: Win32 worm
Date: 1 June 2005

Sophos has issued protection for W32/Mytob-CZ.

Sophos has received several reports of this worm from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Mytob-CZ can be found at:
http://www.sophos.com/virusinfo/analyses/w32mytobcz.html

W32/Mytob-CZ is a mass-mailing worm with backdoor functionality that can be 
controlled through the Internet Relay Chat (IRC) network. 
When first run W32/Mytob-CZ copies itself to the Windows system folder as 
Lien.exe and creates the following registry entries: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
http://www.lienvandekelder.be
"taskgmr.exe" 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
http://www.lienvandekelder.be
"taskgmr.exe" 
W32/Mytob-CZ also appends the following to the HOSTS file to deny access to 
security related websites: 
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com 
W32/Mytob-CZ is capable of spreading through email and through various 
operating system vulnerabilities such as LSASS (MS04-011). Email sent by 
W32/Mytob-CZ has the following properties: 
Subject line: 
*DETECTED* Online User Violation 
*WARNING* Your Email Account Will Be Closed 
Account Alert 
Email Account Suspension 
Important Notification 
Notice of account limitation 
Notice: **Last Warning** 
Security measures 
Your Email Account is Suspended For Security Reasons 
Message text: 
Once you have completed the form in the attached file , your account records 
will not be interrupted and will continue as normal. 
The original message has been included as an attachment. 
We regret to inform you that your account has been suspended due to the 
violation of our site policy, more info is attached. 
We attached some important information regarding your account. 
Please read the attached document and follow it's instructions. 
The attached file consists of a base name followed by the extentions PIF, SCR, 
EXE or ZIP. The worm may optionally create double extensions where the first 
extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP. 
The base filenames are randomly chosen from: 
account-details
document
email-doc
email-info
info-text
information
information
instructions 
W32/Mytob-CZ harvests email addresses from files on the infected computer and 
from the Windows address book. The worm avoids sending email to addresses that 
contain the following: 
.gov
.mil
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
google
gov.
help
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
linux
listserv
math
me
mit.e
mozilla
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
submit
support
syma
tanford.e
the.bat
unix
unix
usenet
utgers.ed
webmaster
you
your 
 

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Mytob-CZ from:

http://www.sophos.com/downloads/ide/mytob-cz.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Mytob-CZ

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---