[virusinfo] W32/Mytob-U

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 07 Jun 2005 09:04:33 -0700

From; Sophos Alert System:

Name: W32/Mytob-U
Type: Win32 worm
Date: 7 June 2005

Sophos has issued protection for W32/Mytob-U.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Mytob-U can be found at:
http://www.sophos.com/virusinfo/analyses/w32mytobu.html

W32/Mytob-U is a mass-mailing worm and IRC backdoor Trojan. 
W32/Mytob-U runs continuously in the background, providing a backdoor server 
which allows a remote intruder to gain access and control over the computer via 
IRC channels, including the ability to download and execute files on the 
infected computer. 
W32/Mytob-U can spread by sending itself as an email attachment to email 
addresses it harvests from the infected computer, either as an attachment with 
a double-extension or as a zip file containing a file with a double-extension. 
Emails sent by the worm have characteristics from the following: 
Subject line: 
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Security measures
Email Account Suspension
Notice of account limitation 
Message body: 
Once you have completed the form in the attached file , your account records 
will not be interrupted and will continue as normal. 
The original message has been included as an attachment. 
We regret to inform you that your account has been suspended due to the 
violation of our site policy, more info is attached. 
We attached some important information regarding your account. 
Please read the attached document and follow it's instructions. 
Attachment name: 
email-info
email-doc
information
account-details
document
INFO
instructions
info-text
information 
First extension (of attachment or of file inside zip): 
doc
htm
txt 
Second extension (of attachment or of file inside zip): 
pif
scr
exe
cmd
bat 
If the attachment is a zip file it will have the same base name as the 
double-extension file inside. 
Example attachment names include document.txt.pif and information.doc.cmd, 
usually with a large number of spaces between the extensions. 
W32/Mytob-U copies itself to the Window system folder with the filename 
"LienVdK.exe" and sets the following registry entries to run itself on system 
startup: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
http://www.lienvandekelder.be =
"LienVdK.exe" 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
http://www.lienvandekelder.be =
"LienVdK.exe" 
W32/Mytob-U sets the following registry entries, disabling the automatic 
startup of other software: 
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4 
W32/Mytob-U attempts to terminate a large number of processes related to 
security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE and 
NETSTAT.EXE. 
W32/Mytob-U modifies the Windows hosts file in order to block access to the 
following security-related websites: 
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 www.lycos-vds.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.oxyd.fr
127.0.0.1 oxyd.fr
127.0.0.1 www.t35.com
127.0.0.1 t35.com
127.0.0.1 www.t35.net
127.0.0.1 t35.net 

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Mytob-U from:

http://www.sophos.com/downloads/ide/mytob-u.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Mytob-U

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---