From; Sophos Alert System: Name: W32/Mytob-W Aliases: WORM_MYTOB.W, Net-Worm.Win32.Mytob.q Type: Win32 worm Date: 5 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Mytob-W can be found at: http://www.sophos.com/virusinfo/analyses/w32mytobw.html W32/Mytob-W is a mass-mailing network worm with backdoor functionality that targets users of Internet Relay Chat programs. W32/Mytob-W spreads attached to the email messages or by exploiting known vulnerabilities. For details about these vulnerabilities see MS04-012 and MS04-011 as for LSASS and RPC/DCOM vulnerability correspondingly. W32/Mytob-W attempts to harvest email addresses from the infected system. Emails sent by W32/Mytob-W have the following characteristics: The subject line is one of the following: Error Good day Hello Mail Delivery System Mail Transaction Failed Server Report Status The message text is one of the following lines: Mail transaction failed. Partial message is available. The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The original message was included as an attachment. Here are your banks documents The worm is included as an attachment to the message, either as an executable file (with CMD, BAT, DOC, HTM, PIF, SCR, TMP, TXT, EXE or COM extension) or as a ZIP file containing the executable. The filename (excluding file extension) is chosen from the following list: BODY DATA DOC DOCUMENT FILE MESSAGE README TEST TEXT Once executed W32/Mytob-W copies itself to the Windows system folder with the filenames NETHELL.EXE and TASKGMR.EXE, and in order to be able to run automatically when Windows starts up sets the registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WINTASK taskgmr.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices WINTASK taskgmr.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run WINTASK taskgmr.exe Also W32/Mytob-W modifies the following registry entries: HKCU\SYSTEM\CurrentControlSet\Control\Lsa WINTASK taskgmr.exe HKCU\Software\Microsoft\OLE WINTASK taskgmr.exe HKLM\SOFTWARE\Microsoft\Ole WINTASK taskgmr.exe HKLM\SYSTEM\CurrentControlSet\Control\Lsa WINTASK taskgmr.exe W32/Mytob-W also creates a hellmsn.exe file in the root folder that is detected by the W32/Mytob-D and copies itself to the root folder using following filenames: funny_pic.scr my_photo2005.scr see_this!!.scr W32/Mytob-W modifies the system HOSTS file in order to prevent access to the following web addresses: avp.com ca.com customer.symantec.com dispatch.mcafee.com download.mcafee.com f-secure.com kaspersky.com liveupdate.symantec.com liveupdate.symantecliveupdate.com mast.mcafee.com mcafee.com my-etrust.com nai.com networkassociates.com rads.mcafee.com secure.nai.com securityresponse.symantec.com sophos.com symantec.com trendmicro.com update.symantec.com updates.symantec.com us.mcafee.com viruslist.com viruslist.com www.avp.com www.ca.com www.f-secure.com www.kaspersky.com www.mcafee.com www.microsoft.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com This IDE file also includes detection for: W32/Rbot-ZY http://www.sophos.com/virusinfo/analyses/w32rbotzy.html W32/Rbot-AAA http://www.sophos.com/virusinfo/analyses/w32rbotaaa.html W32/Agobot-RF http://www.sophos.com/virusinfo/analyses/w32agobotrf.html Troj/Bube-K http://www.sophos.com/virusinfo/analyses/trojbubek.html Troj/Dloader-KY http://www.sophos.com/virusinfo/analyses/trojdloaderky.html Troj/PcClient-Q http://www.sophos.com/virusinfo/analyses/trojpcclientq.html Troj/Delf-KM http://www.sophos.com/virusinfo/analyses/trojdelfkm.html Troj/Verzila-A http://www.sophos.com/virusinfo/analyses/trojverzilaa.html Troj/Bdoor-ZAU http://www.sophos.com/virusinfo/analyses/trojbdoorzau.html Download the IDE file from: http://www.sophos.com/downloads/ide/mytob-w.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member