high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 30 June 2005 13:47:59 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Mytob-CT is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-CT can spread by sending itself as an email attachment to email addresses it harvests from the infected computer, either as an attachment with a double-extension or as a zip file containing a file with a double-extension. W32/Mytob-CT avoids sending emails to addresses containing certain strings in them.
W32/Mytob-CT processes the emails it has harvested by splitting them into name and domain. Once it has sent itself to the emails it has harvested, it uses a predefined list of names with the harvested domains. W32/Mytob-CT spoofs the sender, sending emails as if from one of the following at the same domain as the recipient:
support
administrator
mail
service
admin
info
register
webmaster
For example if sending itself to name@example.com, W32/Mytob-CT might send the email as if from admin@example.com.
Emails sent by the worm have characteristics from the following:
Subject line:
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Security measures
Email Account Suspension
Notice of account limitation
Message body - one of the following or a garbled message:
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
The original message has been included as an attachment.
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
We attached some important information regarding your account.
Please read the attached document and follow it's instructions.
Attachment name:
email-info
email-doc
information
account-details
document
INFO
instructions
info-text
information
First extension (of attachment or of file inside zip):
doc
htm
txt
Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat
If the attachment is a zip file it will have the same base name as the double-extension file inside.
Example attachment names include document.txt.pif and information.doc.cmd, usually with a large number of spaces between the extensions.
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-CT (detected as W32/Mytob-Fam) since version 3.95. W32/Mytob-CT is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-CT runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels, including the ability to download and execute files on the infected computer.
W32/Mytob-CT can spread by sending itself as an email attachment to email addresses it harvests from the infected computer, either as an attachment with a double-extension or as a zip file containing a file with a double-extension. W32/Mytob-CT avoids sending emails to addresses containing certain strings in them.
W32/Mytob-CT processes the emails it has harvested by splitting them into name and domain. Once it has sent itself to the emails it has harvested, it uses a predefined list of names with the harvested domains. W32/Mytob-CT spoofs the sender, sending emails as if from one of the following at the same domain as the recipient:
support
administrator
mail
service
admin
info
register
webmaster
For example if sending itself to name@example.com, W32/Mytob-CT might send the email as if from admin@example.com.
Emails sent by the worm have characteristics from the following:
Subject line:
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Security measures
Email Account Suspension
Notice of account limitation
Message body - one of the following or a garbled message:
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
The original message has been included as an attachment.
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
We attached some important information regarding your account.
Please read the attached document and follow it's instructions.
Attachment name:
email-info
email-doc
information
account-details
document
INFO
instructions
info-text
information
First extension (of attachment or of file inside zip):
doc
htm
txt
Second extension (of attachment or of file inside zip):
pif
scr
exe
cmd
bat
If the attachment is a zip file it will have the same base name as the double-extension file inside.
Example attachment names include document.txt.pif and information.doc.cmd, usually with a large number of spaces between the extensions.
W32/Mytob-CT copies itself to the Window system folder with the filename "Lien Vande Kelder.exe" and sets the following registry entries to run itself on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
http://www.lienvandekelder.be =
"Lien Vande Kelder.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
http://www.lienvandekelder.be =
"Lien Vande Kelder.exe"
W32/Mytob-CT sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
W32/Mytob-CT attempts to terminate a large number of processes related to security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE and NETSTAT.EXE.
W32/Mytob-CT modifies the Windows hosts file in order to block access to the following security-related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 easydedicated.com
127.0.0.1 www.easydedicated.com
127.0.0.1 easydedicated.net
127.0.0.1 www.easydedicated.net
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-CT (detected as W32/Mytob-Fam) since version 3.95.
|
