[virusinfo] W32/Mytob-AK

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 26 Apr 2005 09:38:13 -0700

From; Sophos Alert System:

Name: W32/Mytob-AK
Aliases: WORM_MYTOB.BT
Type: Win32 worm
Date: 26 April 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Information about W32/Mytob-AK can be found at:
http://www.sophos.com/virusinfo/analyses/w32mytobak.html

W32/Mytob-AK is a mass-mailing worm and IRC backdoor Trojan. 
W32/Mytob-AK is capable of spreading through operating system vulnerabilities, 
including the LSASS (MS04-011) exploit. 
W32/Mytob-AK can harvest email addresses from files on the infected computer 
and from the Windows address book. 
Emails sent by the worm have the following characteristics: 
Subject line:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
Good day
<blank> 
Message body:
The message contains Unicode characters and has been sent as a binary 
attachment. 
Mail transaction failed. Partial message is available. 
The message cannot be represented in 7-bit ASCII encoding and has been sent as 
a binary attachment. 
The original message was included as an attachment, 
Here are your bank documents 
W32/Mytob-AK copies itself to the Windows system folder as "taskgmr32.exe " and 
creates the following registry entries in order to run automatically on 
computer login: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WINTASK =
taskgmr32.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
WINTASK =
taskgmr32.exe 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
WINTASK =
taskgmr32.exe 
The worm also creates the following registry entries: 
HKCU\SYSTEM\CurrentControlSet\Control\Lsa\
WINTASK =
taskgmr32.exe 
HKCU\Software\Microsoft\OLE\
WINTASK =
taskgmr32.exe 
HKLM\SOFTWARE\Microsoft\Ole\
WINTASK =
taskgmr32.exe 
W32/Mytob-AK copies itself to the root folder with the following filenames: 
funny_pic.scr
my_photo2005.scr
see_this!!.scr 
W32/Mytob-AK blocks access to security-related websites by writing the 
following entries to the Windows hosts file: 
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com 
W32/Mytob-AK may create a new file detected by Sophos as W32/Mytob-D. 

This IDE file also includes detection for:

W32/Kelvir-T
http://www.sophos.com/virusinfo/analyses/w32kelvirt.html
Troj/Restrict-A
http://www.sophos.com/virusinfo/analyses/trojrestricta.html
Troj/LanFilt-I
http://www.sophos.com/virusinfo/analyses/trojlanfilti.html
Troj/StartPa-FS
http://www.sophos.com/virusinfo/analyses/trojstartpafs.html
Troj/Psyme-BT
http://www.sophos.com/virusinfo/analyses/trojpsymebt.html
Troj/Banker-CK
http://www.sophos.com/virusinfo/analyses/trojbankerck.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/mytob-ak.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Mytob-AK
• » [virusinfo] W32/Mytob-AK
• » [virusinfo] W32/Mytob-AK

1. Home
2. virusinfo
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---