[virusinfo] W32/Mytob-A
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Wed, 02 Mar 2005 09:09:42 -0800
From; Sophos Alert System:
Name: W32/Mytob-A
Type: Win32 worm
Date: 2 March 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the April 2005 (3.92) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.
Information about W32/Mytob-A can be found at:
http://www.sophos.com/virusinfo/analyses/w32mytoba.html
W32/Mytob-A is a mass-mailing network worm and backdoor trojan that targets
users of Internet Relay Chat programs.
Upon execution W32/Mytob-A will copy itself to the default System folder as the
file msnmsgr.exe and will create the following registry entries:
HKCU\System\CurrentControlSet\Control\Lsa\
MSN
msnmsgr.exe
HKCU\Software\Microsoft\OLE\
MSN
msnmsgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MSN
msnmsgr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSN
msnmsgr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MSN
msnmsgr.exe
W32/Mytob-A will use its own SMTP engine to send itself to email addresses
harvested from the victim's computer but will avoid addresses containing
certain strings. Emails sent by W32/Mytob-A will have the following
characteristics:
From: The from address will be Spoofed by W32/Mytob-A
Subject:
"Hi",
"Hello",
"Error",
"test",
"Mail Transaction Failed",
"Status",
"Mail Delivery System",
"Server Report",
Random text
Body Text:
"Mail transaction failed. Partial message is available.",
"The message contains Unicode characters and has been sent as a binary
attachment.",
"The message cannot be represented in 7-bit ASCII encodingand has been sent as
a binary attachment.",
"test",
No body text,
Random characters.
Attachment name:
test,
text,
body,
readme,
doc,
document,
data,
file,
message,
random characters,
Possible attachment extensions,
pif,
scr,
zip,
cmd,
exe.
If the attachment is a zip archive the archived file may have a double
extension, for example 'readme.htm .exe'.
W32/Mytob-A will open an IRC channel called yakuza for incoming commands from a
remote attacker and may also open backdoor TCP connections.
This IDE file also includes detection for:
Troj/Bancos-LN
http://www.sophos.com/virusinfo/analyses/trojbancosln.html
Troj/Dloader-IL
http://www.sophos.com/virusinfo/analyses/trojdloaderil.html
Troj/Bancos-CR
http://www.sophos.com/virusinfo/analyses/trojbancoscr.html
Troj/Dloader-IM
http://www.sophos.com/virusinfo/analyses/trojdloaderim.html
Troj/Dloader-IO
http://www.sophos.com/virusinfo/analyses/trojdloaderio.html
Troj/Dloader-IP
http://www.sophos.com/virusinfo/analyses/trojdloaderip.html
Troj/Dloader-IN
http://www.sophos.com/virusinfo/analyses/trojdloaderin.html
Troj/DellAll-S
http://www.sophos.com/virusinfo/analyses/trojdellalls.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/mytob-a.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Mytob-A
