high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | July 2005 (3.95) |
| Protection available since | 27 May 2005 00:57:07 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Mytob-CM is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-CM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Mytob-CM can spread by sending itself as an email attachment to email addresses it harvests from the infected computer.
W32/Mytob-CM modifies the Windows hosts file in order to block access to security-related websites.
Emails sent by the worm have the following characteristics:
Subject line chosen from:
Security measures
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Email Account Suspension
Notice of account limitation
Message text chosen from:
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
The original message has been included as an attachment.
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
We attached some important information regarding your account.
Please read the attached document and follow it's instructions.
<random characters>
The attached file consists of a base name followed by the extensions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP. W32/Mytob-CM is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-CM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Mytob-CM can spread by sending itself as an email attachment to email addresses it harvests from the infected computer.
Emails sent by the worm have the following characteristics:
Subject line chosen from:
Security measures
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Email Account Suspension
Notice of account limitation
Message text chosen from:
Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
The original message has been included as an attachment.
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
We attached some important information regarding your account.
Please read the attached document and follow it's instructions.
<random characters>
The attached file consists of a base name followed by the extensions PIF, SCR, EXE or ZIP. The worm may optionally create double extensions where the first extension is DOC, TXT or HTM and the final extension is PIF, SCR, EXE or ZIP.
When first run W32/Mytob-CM copies itself to <System>\nec.exe.
The following registry entries are created to run nec.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
nec.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
nec.exe
W32/Mytob-CM sets the following registry entry, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
W32/Mytob-CM modifies the Windows hosts file in order to block access to the following security-related websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
|
