From; Sophos Alert System: Name: W32/Mytob-A Type: Win32 worm Date: 2 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the April 2005 (3.92) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Information about W32/Mytob-A can be found at: http://www.sophos.com/virusinfo/analyses/w32mytoba.html W32/Mytob-A is a mass-mailing network worm and backdoor trojan that targets users of Internet Relay Chat programs. Upon execution W32/Mytob-A will copy itself to the default System folder as the file msnmsgr.exe and will create the following registry entries: HKCU\System\CurrentControlSet\Control\Lsa\ MSN msnmsgr.exe HKCU\Software\Microsoft\OLE\ MSN msnmsgr.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ MSN msnmsgr.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ MSN msnmsgr.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ MSN msnmsgr.exe W32/Mytob-A will use its own SMTP engine to send itself to email addresses harvested from the victim's computer but will avoid addresses containing certain strings. Emails sent by W32/Mytob-A will have the following characteristics: From: The from address will be Spoofed by W32/Mytob-A Subject: "Hi", "Hello", "Error", "test", "Mail Transaction Failed", "Status", "Mail Delivery System", "Server Report", Random text Body Text: "Mail transaction failed. Partial message is available.", "The message contains Unicode characters and has been sent as a binary attachment.", "The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment.", "test", No body text, Random characters. Attachment name: test, text, body, readme, doc, document, data, file, message, random characters, Possible attachment extensions, pif, scr, zip, cmd, exe. If the attachment is a zip archive the archived file may have a double extension, for example 'readme.htm .exe'. W32/Mytob-A will open an IRC channel called yakuza for incoming commands from a remote attacker and may also open backdoor TCP connections. This IDE file also includes detection for: Troj/Bancos-LN http://www.sophos.com/virusinfo/analyses/trojbancosln.html Troj/Dloader-IL http://www.sophos.com/virusinfo/analyses/trojdloaderil.html Troj/Bancos-CR http://www.sophos.com/virusinfo/analyses/trojbancoscr.html Troj/Dloader-IM http://www.sophos.com/virusinfo/analyses/trojdloaderim.html Troj/Dloader-IO http://www.sophos.com/virusinfo/analyses/trojdloaderio.html Troj/Dloader-IP http://www.sophos.com/virusinfo/analyses/trojdloaderip.html Troj/Dloader-IN http://www.sophos.com/virusinfo/analyses/trojdloaderin.html Troj/DellAll-S http://www.sophos.com/virusinfo/analyses/trojdellalls.html Download the IDE file from: http://www.sophos.com/downloads/ide/mytob-a.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member