[virusinfo] Multiple Mytob variants cause outbreak

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Thu, 14 Apr 2005 11:09:57 -0700

From; Kaspersky Virus News. Thursday, April 14, 2005

1. Multiple Mytob variants cause outbreak
2. How to subscribe/unsubscribe
3. Security Rules

****

1. Multiple Mytob variants cause outbreak

Kaspersky Lab, a leading developer of secure content management
solutions, has detected a large number of new modifications of
Net-Worm.Win32.Mytob. At the time of writing, Kaspersky Lab virus
analysts have detected 26 variants of the worm, and it seems highly
likely that there are more to come. The new versions of Mytob, and the
speed at which they are spreading, have caused a significant outbreak.

Net-Worm.Win32.Mytob.c
(http://www.viruslist.com/en/viruses/encyclopedia?virusid=74858), which
was first detected on the 1st March, represents a particular threat. It
is responsible for 30% of the malicious code detected in mail traffic
over the past three weeks. And five or six other versions of Mytob
family have places in the Kaspersky Lab Virus Top Twenty, which goes to
show just how fast these worms are spreading.

Mytob is based on Mydoom.a source code, and infects computers running
Windows. It penetrates victim machines both via a vulnerability in the
Windows LSASS service and as an attachment to infected email messages.

Once launched, the worm copies itself to the Windows system directory,
and registers this file in the system registry. This ensures that a copy
of the worm will be launched each time Windows is rebooted. The worm
harvests email addresses from the infected machine's file system. It
will not, however, send itself to certain addresses which appear to
belong to antivirus companies, software developers, or educational
institutions among others. (Click here
(http://www.viruslist.com/en/viruses/encyclopedia?virusid=74564) for a
full list).

At the same time, Mytob selects IP addresses to attack, and sends a
request to TCP port 445 on the potential victim machine. If the remote
computer responds, the worm will launch its code on this new victim
machine via the LSASS vulnerability. In addition to this replication
mechanism, Mytob worms also contain a bot component, which enables a
remote malicious user to access information saved on the victim machine
and control it via IRC channels.

This outbreak could also potentially be exacerbated by the latest
Microsoft security update, which listed several new vulnerabilities, 5
of them rated critical. If virus writers decide to exploit these
vulnerabilities, it could cause a global epidemic. 'We're certain
that the computer underground is working actively on creating new and
even more dangerous malicious code which will exploit these loopholes.
To keep your data safe, we strongly recommend that you download and
install the latest Microsoft patches
(http://www.microsoft.com/technet/security/bulletin/ms05-apr.mspx)
now,' said Eugene Kaspersky, head of Anti-Virus Research at
Kaspersky Lab.

Kaspersky Anti-Virus databases have already been updated with detection
for Mytob worms. You can find more information about this family of
malicious programs in the Kaspersky Virus Encyclopaedia.
(http://www.viruslist.com/en/alerts?alertid=162187087)



**

2. How to subscribe

If you would like to subscribe to other Kaspersky Lab news blocks or 
to unsubscribe from this news block, you can do so by visiting
http://www.kaspersky.com/subscribenow.html

If you experience any problems with this procedure, 
please contact us at:
webmaster@xxxxxxxxxxxxx

3. Security Rules

To avert unsanctioned attempts to distribute false or forged email news
messages under purportedly originating from Kaspersky Labs please note that
real Kaspersky Labs news messages are sent only in plain text format and
never include file attachments.

If you receive an email disregarding these strict guidelines, please do not
open it, but rather forward it to Kaspersky Labs technical support
(support@xxxxxxxxxxxxx) so its contents can be examined.


****

Best Regards,

Kaspersky Labs Threats Information Department


-----
10 Geroyev Panfilovtsev St.,
125363, Moscow
Russia
Telephone/Facsimile: +7 (095) 797 87 00
WWW: http://www.kaspersky.com
FTP: ftp://ftp.kaspersky.com
Email: webmaster@xxxxxxxxxxxxx

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Multiple Mytob variants cause outbreak

1. Home
2. virusinfo
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---