high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | July 2005 (3.95) |
| Protection available since | 17 May 2005 10:45:48 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Mytob-CJ is a member of the W32/Mytob family of email worms.
Once installed, W32/Mytob-CJ attempts to logon to remote IRC servers and open a backdoor to allow remote commands to be executed. W32/Mytob-CJ also tries to download files from a remote website and run them.
W32/Mytob-CJ also terminates anti-virus and system related processes.
W32/Mytob-CJ also modifies the HOSTS file to deny access to anti-virus and security related websites.
W32/Mytob-CJ will harvest email addresses and server related information from the Windows Address Book and the Microsoft Internet Account Manager. Email messages sent by W32/Mytob-CJ has the following characteristics:
Subject line chosen from:
'Notice: **Last Warning**'
'Your email account access is restricted'
'Your Email Account is Suspended For Security Reasons'
'Notice:***Your email account will be suspended***'
'Security measures'
'Email Account Suspension'
'*IMPORTANT* Please Validate Your Email Account'
'*IMPORTANT* Your Account Has Been Locked'
'*WARNING* Your Email Account Will Be Closed'
<random characters>
Message text chosen from:
'Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.'
'To unblock your email account acces, please see the attachment.'
'Follow the instructions in the attachment.'
'We have suspended some of your email services, to resolve the problem you should read the attached document.'
'To safeguard your email account from possible termination, please see the attached file.'
'please look at attached document.'
'Account Information Are Attached!'
<random characters>
Attached filenames chosen from:
email-info
email-text
email-doc
information
your_details
document_full
INFO
IMPORTANT
info-text
<random characters>
The attached file consists of any of the abovementioned base names followed by the extensions PIF, SCR, EXE, CMD, BAT or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE, CMD, BAT or ZIP.
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-CJ (detected as W32/MyDoom-Gen) since version 3.92. W32/Mytob-CJ is a member of the W32/Mytob family of email worms.
In order to run automatically W32/Mytob-CJ copies itself to the file sky.exe.exe in the Windows system folder and creates the following registry entries to run itself on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINDOWS SKY
sky.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SKY
sky.exe
The worm also changes the following registry entry from its default Windows setting:
from:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
dword:00000003
to:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
dword:00000004
W32/Mytob-CJ will harvest email addresses and server related information from the Windows Address Book and the Microsoft Internet Account Manager. Email messages sent by W32/Mytob-CJ has the following characteristics:
Subject line chosen from:
'Notice: **Last Warning**'
'Your email account access is restricted'
'Your Email Account is Suspended For Security Reasons'
'Notice:***Your email account will be suspended***'
'Security measures'
'Email Account Suspension'
'*IMPORTANT* Please Validate Your Email Account'
'*IMPORTANT* Your Account Has Been Locked'
'*WARNING* Your Email Account Will Be Closed'
<random characters>
Message text chosen from:
'Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.'
'To unblock your email account acces, please see the attachment.'
'Follow the instructions in the attachment.'
'We have suspended some of your email services, to resolve the problem you should read the attached document.'
'To safeguard your email account from possible termination, please see the attached file.'
'please look at attached document.'
'Account Information Are Attached!'
<random characters>
Attached filenames chosen from:
email-info
email-text
email-doc
information
your_details
document_full
INFO
IMPORTANT
info-text
<random characters>
The attached file consists of any of the abovementioned base names followed by the extensions PIF, SCR, EXE, CMD, BAT or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE, CMD, BAT or ZIP.
W32/Mytob-CJ also terminates anti-virus and system related processes.
W32/Mytob-CJ also appends the following mappings to the HOSTS file to deny access to anti-virus and security related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
Once installed, W32/Mytob-CJ attempts to logon to remote IRC servers and open a backdoor to allow remote commands to be executed. W32/Mytob-CJ also tries to download files from a remote website and run them.
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-CJ (detected as W32/MyDoom-Gen) since version 3.92.
|
