From; Sophos Alert System: Name: W32/Mytob-AH Type: Win32 worm Date: 21 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Information about W32/Mytob-AH can be found at: http://www.sophos.com/virusinfo/analyses/w32mytobah.html W32/Mytob-AH is a mass-mailing network worm with IRC backdoor functionality. W32/Mytob-AH copies itself to the file hostdrvXP.exe in the Windows system folder and creates the following registry entries in order to run at logon: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WINTASKMANAGER hostdrvXP.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices WINTASKMANAGER hostdrvXP.exe HKLM\SYSTEM\CurrentControlSet\Control\Lsa WINTASKMANAGER hostdrvXP.exe HKLM\Software\Microsoft\OLE WINTASKMANAGER hostdrvXP.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run WINTASKMANAGER hostdrvXP.exe HKCU\SYSTEM\CurrentControlSet\Control\Lsa WINTASKMANAGER hostdrvXP.exe HKCU\Software\Microsoft\OLE WINTASKMANAGER hostdrvXP.exe Emails sent by W32/Mytob-AH will have the following characteristics: Subject line: one of Good day hello Mail Delivery System Mail Transaction Failed Server Report Status Error <random text> Message text: one of Here are your banks documents. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The original message was included as an attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attached file: one of document readme doc text file data test message body <random text> Attachment extension: one of pif scr exe cmd bat The attached file may have a double extension. The worm will also drop hellmsn.exe into the C:\ folder and copy itself to the C:\ folder as the following files: funny_pic.scr my_photo2005.scr see_this!!.scr Sophos detects hellmsn.exe as W32/Mytob-D. W32/Mytob-AH will also modify the HOSTS file to prevent access to various Anti-Virus and security related websites. W32/Mytob-AH connects to a preconfigured IRC server and joins a channel in which it can await further instructions. W32/Mytob-AH attempts to spread to randomly-chosen IP addresses by exploiting the LSASS vulnerability (MS04-011). The patch for this vulnerability can be obtained from the Microsoft website: MS04-011 Download the IDE file from: http://www.sophos.com/downloads/ide/mytob-ah.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member