high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 8 May 2005 13:46:45 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Mytob-BC is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-BC can harvest email addresses from files on the infected computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Notice:***Your email account will be suspended***
YOUR EMAIL ACCOUNT ACCESS IS RESTRICTED
Your Email Account is Suspended For Security Reasons
Your email account access is restricted
Notice:**Last Warning**
Email Account Suspension
*IMPORTANT* Your Account Has Been Locked
Security Measures
*IMPORTANT* PLEASE VALIDATE YOUR EMAIL ACCOUNT
<random>
Message body:
Please see the attachment.
please look at attached document.
We have suspended some of your email services, to resolve the problem you should read the attached document.
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
To unblock your email account acces, please see the attachment.
To safeguard your email account from possible termination, please see the attached file.
Account Information Are Attached!
<random> W32/Mytob-BC is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-BC can harvest email addresses from files on the infected computer and from the Windows address book.
Emails sent by the worm have the following characteristics:
Subject line:
Notice:***Your email account will be suspended***
YOUR EMAIL ACCOUNT ACCESS IS RESTRICTED
Your Email Account is Suspended For Security Reasons
Your email account access is restricted
Notice:**Last Warning**
Email Account Suspension
*IMPORTANT* Your Account Has Been Locked
Security Measures
*IMPORTANT* PLEASE VALIDATE YOUR EMAIL ACCOUNT
<random>
Message body:
Please see the attachment.
please look at attached document.
We have suspended some of your email services, to resolve the problem you should read the attached document.
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
To unblock your email account acces, please see the attachment.
To safeguard your email account from possible termination, please see the attached file.
Account Information Are Attached!
<random>
When first run the worm copies itself to <SYSTEM>\1hellbot.exe.
The following registry entries are created to run 1hellbot.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HELLBOT TEST
1hellbot.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HELLBOT TEST
1hellbot.exe
The worm sets the following registry entry to reduce system security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
W32/Mytob-BC blocks access to security-related websites by writing the folllowing entries to the Windows hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
|
