From; Sophos Alert System: Name: W32/Mytob-AK Aliases: WORM_MYTOB.BT Type: Win32 worm Date: 26 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Mytob-AK can be found at: http://www.sophos.com/virusinfo/analyses/w32mytobak.html W32/Mytob-AK is a mass-mailing worm and IRC backdoor Trojan. W32/Mytob-AK is capable of spreading through operating system vulnerabilities, including the LSASS (MS04-011) exploit. W32/Mytob-AK can harvest email addresses from files on the infected computer and from the Windows address book. Emails sent by the worm have the following characteristics: Subject line: Error Status Server Report Mail Transaction Failed Mail Delivery System hello Good day <blank> Message body: The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The original message was included as an attachment, Here are your bank documents W32/Mytob-AK copies itself to the Windows system folder as "taskgmr32.exe " and creates the following registry entries in order to run automatically on computer login: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ WINTASK = taskgmr32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ WINTASK = taskgmr32.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ WINTASK = taskgmr32.exe The worm also creates the following registry entries: HKCU\SYSTEM\CurrentControlSet\Control\Lsa\ WINTASK = taskgmr32.exe HKCU\Software\Microsoft\OLE\ WINTASK = taskgmr32.exe HKLM\SOFTWARE\Microsoft\Ole\ WINTASK = taskgmr32.exe W32/Mytob-AK copies itself to the root folder with the following filenames: funny_pic.scr my_photo2005.scr see_this!!.scr W32/Mytob-AK blocks access to security-related websites by writing the following entries to the Windows hosts file: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.trendmicro.com W32/Mytob-AK may create a new file detected by Sophos as W32/Mytob-D. This IDE file also includes detection for: W32/Kelvir-T http://www.sophos.com/virusinfo/analyses/w32kelvirt.html Troj/Restrict-A http://www.sophos.com/virusinfo/analyses/trojrestricta.html Troj/LanFilt-I http://www.sophos.com/virusinfo/analyses/trojlanfilti.html Troj/StartPa-FS http://www.sophos.com/virusinfo/analyses/trojstartpafs.html Troj/Psyme-BT http://www.sophos.com/virusinfo/analyses/trojpsymebt.html Troj/Banker-CK http://www.sophos.com/virusinfo/analyses/trojbankerck.html Download the IDE file from: http://www.sophos.com/downloads/ide/mytob-ak.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member