From; Sophos Alert System: Name: W32/Mytob-AG Aliases: Net-Worm.Win32.Mytob.af, WORM_MYTOB.CA Type: Win32 worm Date: 21 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Mytob-AG can be found at: http://www.sophos.com/virusinfo/analyses/w32mytobag.html W32/Mytob-AG is a mass-mailing network worm with IRC backdoor functionality. W32/Mytob-AG copies itself to the file w32NTupdt.exe in the Windows system folder and creates the following registry entries in order to run at logon: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run A New Windows Updater w32NTupdt.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices A New Windows Updater w32NTupdt.exe HKLM\SYSTEM\CurrentControlSet\Control\Lsa A New Windows Updater w32NTupdt.exe HKLM\Software\Microsoft\OLE A New Windows Updater w32NTupdt.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run A New Windows Updater w32NTupdt.exe HKCU\SYSTEM\CurrentControlSet\Control\Lsa A New Windows Updater w32NTupdt.exe HKCU\Software\Microsoft\OLE A New Windows Updater w32NTupdt.exe Emails sent by W32/Mytob-AG will have the following characteristics: Subject: one of Good day hello Mail Delivery System Mail Transaction Failed Server Report Status Error <random text> Body: one of Here are your banks documents. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The original message was included as an attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment name: one of document readme doc text file data test message body <random text> Attachment extension: one of pif scr exe cmd bat The attached file may have a double extension. W32/Mytob-AG connects to a preconfigured IRC server and joins a channel in which it can await further instructions. W32/Mytob-AG attempts to spread to randomly-chosen IP addresses by exploiting the LSASS vulnerability (MS04-011). The patch for this vulnerability can be obtained from the Microsoft website: MS04-011. This IDE file also includes detection for: Troj/Dizzi-A http://www.sophos.com/virusinfo/analyses/trojdizzia.html Troj/BagleDl-O http://www.sophos.com/virusinfo/analyses/trojbagledlo.html Troj/Lineage-J http://www.sophos.com/virusinfo/analyses/trojlineagej.html W32/Rbot-AAZ http://www.sophos.com/virusinfo/analyses/w32rbotaaz.html Download the IDE file from: http://www.sophos.com/downloads/ide/mytob-ag.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member