From; Sophos Alert System: Name: W32/Mytob-M Aliases: Worm.Mytob.AS, W32/Mydoom.gen@MM, Net-Worm.Win32.Mytob.bd Type: Win32 worm Date: 2 June 2005 Sophos has issued protection for W32/Mytob-M. Sophos has received several reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Note: Updating W32/Mytob-M to enhance detection. Information about W32/Mytob-M can be found at: http://www.sophos.com/virusinfo/analyses/w32mytobm.html W32/Mytob-M is a mass-mailing worm and IRC backdoor Trojan. W32/Mytob-M runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels, including the ability to download and execute files on the infected computer. W32/Mytob-M can spread by sending itself as an email attachment to email addresses it harvests from the infected computer, either as an attachment with a double-extension or as a ZIP file containing a file with a double-extension. Emails sent by the worm have the following characteristics: Subject line: Notice: **Last Warning** *DETECTED* Online User Violation Your Email Account is Suspended For Security Reasons Account Alert Important Notification *WARNING* Your Email Account Will Be Closed Security measures Email Account Suspension Notice of account limitation Message body: Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal. The original message has been included as an attachment. We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. We attached some important information regarding your account. Please read the attached document and follow it's instructions. Attachment base name: email-info email-doc information account-details document INFO instructions info-text information First extension (of attachment or of file inside ZIP): doc htm txt Second extension (of attachment or of file inside ZIP): pif scr exe cmd bat If the attachment is a ZIP file it will have the same base name as the double-extension file inside. Example attachment names include document.txt.pif and information.doc.cmd, usually with a large number of spaces between the extensions. W32/Mytob-M copies itself to the Window system folder with the filename "Lien vd Kelder.exe" and sets the following registry entries to run itself on system startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run http://www.lienvandekelder.be "Lien vd Kelder.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices http://www.lienvandekelder.be "Lien vd Kelder.exe" W32/Mytob-M sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4 W32/Mytob-M attempts to terminate a large number of processes related to security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE and NETSTAT.EXE. W32/Mytob-M modifies the Windows hosts file in order to block access to the following security-related websites: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.grisoft.com 127.0.0.1 www.microsoft.com 127.0.0.1 microsoft.com 127.0.0.1 www.msn.com 127.0.0.1 www.virustotal.com 127.0.0.1 virustotal.com 127.0.0.1 www.oxyd.fr 127.0.0.1 oxyd.fr 127.0.0.1 www.t35.com 127.0.0.1 t35.com 127.0.0.1 www.t35.net 127.0.0.1 t35.net Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Mytob-M from: http://www.sophos.com/downloads/ide/mytob-m.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member