high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | July 2005 (3.95) |
| Protection available since | 26 April 2005 04:00:10 (GMT) |
| Last updated | 3 June 2005 20:00:44 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Mytob-AJ is a mass-mailing worm and backdoor Trojan that targets users of Internet Relay Chat programs.
W32/Mytob-AJ is capable of spreading through various operating system vulnerabilities such as LSASS (MS04-011).
The worm also prevents access to anti-virus and security-related websites.
W32/Mytob-AJ harvests email addresses from files found on the infected computer and from the Windows address book.
The following patches for the operating system vulnerabilities exploited by W32/Mytob-AJ can be obtained from the Microsoft website:
MS04-011 W32/Mytob-AJ is a mass-mailing worm and backdoor Trojan that targets users of Internet Relay Chat programs.
When first run the worm copies itself to the Windows system folder as taskgmr.exe and creates the following registry entries so as to run itself on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Task Manager
taskgmr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Task Manager
taskgmr.exe
W32/Mytob-AJ is capable of spreading through various operating system vulnerabilities such as LSASS (MS04-011).
The worm also appends the following mappings to the HOSTS file to deny access to anti-virus and security-related websites and also adds in a signature line at the end of the file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
-=Copyright (C) 2005-2006 HellBot3 Team All Rights Reserved.=-
W32/Mytob-AJ harvests email addresses from files found on the infected computer and from the Windows address book.
Emails sent by W32/Mytob-AJ have the following characteristics:
Subject line: chosen from
read it immediately
Hello
Congratulations!
Re: Approved document
Re: Your document
Re: Administration
approved
Is that your password?
It's you!?
Bonjour
From: chosen from
contact@microsoft.com
postmaster@fbi.gov
support@yahoo.com
admin@fbi.gov
contact@cia.gov
contact@fbi.gov
contact@symantec.com
Message text: chosen from
I have attached your informations.
The original message was included as an attachment.
Your document is attached.
The message contains Unicode characters and has been sent as a binary attachment.
For more details see the attachment.
Attached file: chosen from
document
details
data
important information
your_doc
message
body
Attached file extension: chosen from
pif
scr
exe
cmd
bat
zip
The worm can also spread by mailing itself as a file attachment using the filename isyq.scr.
For instances where W32/Mytob-AJ sends itself as a zip archives, the worm may optionally create extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP.
The worm also may attempt to access or setup listening ports on ports 15 and 256.
The following patches for the operating system vulnerabilities exploited by W32/Mytob-AJ can be obtained from the Microsoft website:
|
