[virusinfo] W32/Mytob-W
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Tue, 05 Apr 2005 15:49:03 -0700
From; Sophos Alert System:
Name: W32/Mytob-W
Aliases: WORM_MYTOB.W, Net-Worm.Win32.Mytob.q
Type: Win32 worm
Date: 5 April 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Information about W32/Mytob-W can be found at:
http://www.sophos.com/virusinfo/analyses/w32mytobw.html
W32/Mytob-W is a mass-mailing network worm with backdoor functionality that
targets users of Internet Relay Chat programs.
W32/Mytob-W spreads attached to the email messages or by exploiting known
vulnerabilities. For details about these vulnerabilities see MS04-012 and
MS04-011 as for LSASS and RPC/DCOM vulnerability correspondingly.
W32/Mytob-W attempts to harvest email addresses from the infected system.
Emails sent by W32/Mytob-W have the following characteristics:
The subject line is one of the following:
Error
Good day
Hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
The message text is one of the following lines:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary
attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as
a binary attachment.
The original message was included as an attachment.
Here are your banks documents
The worm is included as an attachment to the message, either as an executable
file (with CMD, BAT, DOC, HTM, PIF, SCR, TMP, TXT, EXE or COM extension) or as
a ZIP file containing the executable. The filename (excluding file extension)
is chosen from the following list:
BODY
DATA
DOC
DOCUMENT
FILE
MESSAGE
README
TEST
TEXT
Once executed W32/Mytob-W copies itself to the Windows system folder with the
filenames NETHELL.EXE and TASKGMR.EXE, and in order to be able to run
automatically when Windows starts up sets the registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
taskgmr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe
Also W32/Mytob-W modifies the following registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
HKCU\Software\Microsoft\OLE
WINTASK
taskgmr.exe
HKLM\SOFTWARE\Microsoft\Ole
WINTASK
taskgmr.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe
W32/Mytob-W also creates a hellmsn.exe file in the root folder that is detected
by the W32/Mytob-D and copies itself to the root folder using following
filenames:
funny_pic.scr
my_photo2005.scr
see_this!!.scr
W32/Mytob-W modifies the system HOSTS file in order to prevent access to the
following web addresses:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
This IDE file also includes detection for:
W32/Rbot-ZY
http://www.sophos.com/virusinfo/analyses/w32rbotzy.html
W32/Rbot-AAA
http://www.sophos.com/virusinfo/analyses/w32rbotaaa.html
W32/Agobot-RF
http://www.sophos.com/virusinfo/analyses/w32agobotrf.html
Troj/Bube-K
http://www.sophos.com/virusinfo/analyses/trojbubek.html
Troj/Dloader-KY
http://www.sophos.com/virusinfo/analyses/trojdloaderky.html
Troj/PcClient-Q
http://www.sophos.com/virusinfo/analyses/trojpcclientq.html
Troj/Delf-KM
http://www.sophos.com/virusinfo/analyses/trojdelfkm.html
Troj/Verzila-A
http://www.sophos.com/virusinfo/analyses/trojverzilaa.html
Troj/Bdoor-ZAU
http://www.sophos.com/virusinfo/analyses/trojbdoorzau.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/mytob-w.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Mytob-W
