W32/Mytob-CF

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Close the registry editor.

W32/Mytob-CF is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-CF also modifies the HOSTS file to deny access to security related websites. W32/Mytob-CF is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.

When first run W32/Mytob-CF copies itself to the Windows system folder as 1hellbot.exe and creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HELLBOT TEST
1hellbot.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HELLBOT TEST
1hellbot.exe

W32/Mytob-CF also appends the following to the HOSTS file to deny access to security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com

Email sent by W32/Mytob-CF has the following properties:

Subject line chosen from:

Your email account access is restricted
Notice:***Your email account will be suspended***
Notice: **Last Warning**
Security measures
*IMPORTANT* Please Validate Your Email Account
Your Email Account is Suspended For Security Reasons

Message text chosen from:

'We have suspended some of your email services, to resolve the problem you should read the attached document.'

'Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.'

'To safeguard your email account from possible termination, please see the attached file.'

'Follow the instructions in the attachment.'

'Account Information Are Attached!'

'To unblock your email account acces, please see the attachment.'

The attached file consists of a base name followed by the extensions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP.

W32/Mytob-CF harvests email addresses from files on the infected computer and from the Windows address book.