[virusinfo] W32/Mytob-AJ

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 25 Apr 2005 22:19:00 -0700

From; Sophos Alert Systeme:

Name: W32/Mytob-AJ
Type: Win32 worm
Date: 26 April 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.


Information about W32/Mytob-AJ can be found at:
http://www.sophos.com/virusinfo/analyses/w32mytobaj.html

W32/Mytob-AJ is a mass-mailing worm and backdoor Trojan that targets users of 
Internet Relay Chat programs. 
When first run the worm copies itself to the Windows system folder as 
taskgmr.exe and creates the following registry entries so as to run itself on 
user logon: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Task Manager
taskgmr.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Task Manager
taskgmr.exe 
W32/Mytob-AJ is capable of spreading through various operating system 
vulnerabilities such as LSASS (MS04-011). 
The worm also appends the following mappings to the HOSTS file to deny access 
to anti-virus and security-related websites and also adds in a signature line 
at the end of the file: 
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
-=Copyright (C) 2005-2006 HellBot3 Team All Rights Reserved.=- 
W32/Mytob-AJ harvests email addresses from files found on the infected computer 
and from the Windows address book. 
Emails sent by W32/Mytob-AJ have the following characteristics: 
Subject line: chosen from 
read it immediately
Hello
Congratulations!
Re: Approved document
Re: Your document
Re: Administration
approved
Is that your password?
It's you!?
Bonjour 
From: chosen from 
contact@xxxxxxxxxxxxx
postmaster@xxxxxxx
support@xxxxxxxxx
admin@xxxxxxx
contact@xxxxxxx
contact@xxxxxxx
contact@xxxxxxxxxxxx 
Message text: chosen from 
I have attached your informations.
The original message was included as an attachment.
Your document is attached.
The message contains Unicode characters and has been sent as a binary 
attachment.
For more details see the attachment. 
Attached file: chosen from 
document
details
data
important information
your_doc
message
body 
Attached file extension: chosen from 
pif
scr
exe
cmd
bat
zip 
The worm can also spread by mailing itself as a file attachment using the 
filename isyq.scr. 
For instances where W32/Mytob-AJ sends itself as a zip archives, the worm may 
optionally create extensions where the first extension is DOC, TXT or HTM and 
the final extension is PIF, SCR, EXE or ZIP. 
The worm also may attempt to access or setup listening ports on ports 15 and 
256. 
The following patches for the operating system vulnerabilities exploited by 
W32/Mytob-AJ can be obtained from the Microsoft website with each of the 
patches linked up to open in an external window: 

This IDE file also includes detection for:

Troj/SDBot-06
http://www.sophos.com/virusinfo/analyses/trojsdbot06.html
W32/Rbot-ABE
http://www.sophos.com/virusinfo/analyses/w32rbotabe.html
W32/Rbot-ABF
http://www.sophos.com/virusinfo/analyses/w32rbotabf.html
Troj/Vixdl-A
http://www.sophos.com/virusinfo/analyses/trojvixdla.html
Troj/Dumaru-BE
http://www.sophos.com/virusinfo/analyses/trojdumarube.html
Troj/Dloader-MS
http://www.sophos.com/virusinfo/analyses/trojdloaderms.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/mytob-aj.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Mytob-AJ
• » [virusinfo] W32/Mytob-AJ
• » [virusinfo] W32/Mytob-AJ

1. Home
2. virusinfo
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---