W32/Mytob-DF

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Close the registry editor.

W32/Mytob-DF is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.

W32/Mytob-DF also appends mappings to the HOSTS file to deny access to trading, financial and security related websites.

Emails sent by W32/Mytob-DF has the following properties:

Subject lines chosen from:

'Notice: **Last Warning**'
'*IMPORTANT* Please Validate Your Account'
'Account Alert'
'Important Notification'
'*IMPORTANT* Please Confirm Your Account'
'Security measures'
'Notice of account limitation'

Message text is of the following format:

'Dear Valued Member, (in bold)

According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.

http://www.<fake domain name>/confirm.php?email=<fake email address>

Thank you for your attention to this question. We apologize for any inconvenience.

Sincerely, <fake company name> Security Department Assistant.'

The URL link is faked and points to a remote website. At the time of writing the remote website was not available.

W32/Mytob-DF may also attempt to download files from the Internet and steal system information.

Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-DF (detected as W32/Mytob-Fam) since version 3.93. W32/Mytob-DF is a mass-mailing worm and backdoor Trojan that can be controlled through the Internet Relay Chat (IRC) network.

When first run W32/Mytob-DF copies itself to <System>\Lien Van de Kelder.exe.

The following registry entries are created to run Lien Van de Kelder.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
http://www.lienvandekelder.be
Lien Van de Kelder.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
http://www.lienvandekelder.be
Lien Van de Kelder.exe

W32/Mytob-DF sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

W32/Mytob-DF terminates system and anti-virus related processes including CMD.EXE, TASKMON.EXE and REGEDIT.EXE.

W32/Mytob-DF also appends the following mappings to the HOSTS file to deny access to trading, financial and security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 easydedicated.com
127.0.0.1 www.easydedicated.com
127.0.0.1 easydedicated.net
127.0.0.1 www.easydedicated.net
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 www.funpic.org
127.0.0.1 funpic.org
127.0.0.1 www.funpic.de
127.0.0.1 funpic.de
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com

Emails sent by W32/Mytob-DF has the following properties:

Subject lines chosen from:

'Notice: **Last Warning**'
'*IMPORTANT* Please Validate Your Account'
'Account Alert'
'Important Notification'
'*IMPORTANT* Please Confirm Your Account'
'Security measures'
'Notice of account limitation'

Message text is of the following format:

'Dear Valued Member, (in bold)

According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.

http://www.<fake domain name>/confirm.php?email=<fake email address>

Thank you for your attention to this question. We apologize for any inconvenience.

Sincerely, <fake company name> Security Department Assistant.'

The URL link is faked and points to a remote website. At the time of writing the remote website was not available.

W32/Mytob-DF harvests email addresses from files on the infected computer and from the Windows address book as well as the Microsoft Internet Account Manager.

W32/Mytob-DF may also attempt to download files from the Internet and steal system information.

Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-DF (detected as W32/Mytob-Fam) since version 3.93.