[virusinfo] W32/Mytob-AG
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Thu, 21 Apr 2005 08:38:19 -0700
From; Sophos Alert System:
Name: W32/Mytob-AG
Aliases: Net-Worm.Win32.Mytob.af, WORM_MYTOB.CA
Type: Win32 worm
Date: 21 April 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Information about W32/Mytob-AG can be found at:
http://www.sophos.com/virusinfo/analyses/w32mytobag.html
W32/Mytob-AG is a mass-mailing network worm with IRC backdoor functionality.
W32/Mytob-AG copies itself to the file w32NTupdt.exe in the Windows system
folder and creates the following registry entries in order to run at logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
A New Windows Updater
w32NTupdt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
A New Windows Updater
w32NTupdt.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
A New Windows Updater
w32NTupdt.exe
HKLM\Software\Microsoft\OLE
A New Windows Updater
w32NTupdt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
A New Windows Updater
w32NTupdt.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
A New Windows Updater
w32NTupdt.exe
HKCU\Software\Microsoft\OLE
A New Windows Updater
w32NTupdt.exe
Emails sent by W32/Mytob-AG will have the following characteristics:
Subject: one of
Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
<random text>
Body: one of
Here are your banks documents.
The message cannot be represented in 7-bit ASCII encoding and has been sent as
a binary attachment. The original message was included as an attachment.
The message contains Unicode characters and has been sent as a binary
attachment.
Mail transaction failed. Partial message is available.
Attachment name: one of
document
readme
doc
text
file
data
test
message
body
<random text>
Attachment extension: one of
pif
scr
exe
cmd
bat
The attached file may have a double extension.
W32/Mytob-AG connects to a preconfigured IRC server and joins a channel in
which it can await further instructions.
W32/Mytob-AG attempts to spread to randomly-chosen IP addresses by exploiting
the LSASS vulnerability (MS04-011). The patch for this vulnerability can be
obtained from the Microsoft website:
MS04-011.
This IDE file also includes detection for:
Troj/Dizzi-A
http://www.sophos.com/virusinfo/analyses/trojdizzia.html
Troj/BagleDl-O
http://www.sophos.com/virusinfo/analyses/trojbagledlo.html
Troj/Lineage-J
http://www.sophos.com/virusinfo/analyses/trojlineagej.html
W32/Rbot-AAZ
http://www.sophos.com/virusinfo/analyses/w32rbotaaz.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/mytob-ag.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Mytob-AG
