high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | September 2005 (3.97) |
| Protection available since | 9 July 2005 16:03:42 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to any file you deleted.
Close the registry editor.
More Information
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Mytob-DH (detected as W32/Mytob-Gen) since version 3.94.
W32/Mytob-DH is a mass-mailing worm for the Windows platform.
The worm scans files on the local hard disks for email addresses. and sends an email to those addresses of the following form:
Subject chosen from:
*DETECTED* Online User Violation
<random characters>
EMAIL ACCOUNT SUSPENSION
Important Notification
Members Support
Warning Messasge: Your services near to be closed.
YOU HAVE SUCCESSFULLY UPDATED YOUR PASSWORD
Your Account is Suspended
Your Account is Suspended For Security Reasons
YOUR PASSWORD HAS BEEN SUCCESFULLY UPDATED
Your password has been updated
The from address will be from one of the following:
admin@<domain>
administrator@<domain>
info@<domain>
mail@<domain>
register@<domain>
service@<domain>
support@<domain>
webmaster@<domain>
where <domain> is the same as the email address of the recipient. For example, if the email is to bob@example.com, then it would be from admin@example.com.
And the message text will be:
---
Dear user <user>,
You have successfully updated the password of your <site> account.
Please view the attached file for more information.
If you did not authorize this change or if you need assistance with your account, please contact <site> customer service at: <from address>
Thank you for using <site>!
The <site> Support Team
Attachment: Scan Complete (0 Virus Found)
+++ <site> Antivirus - www.<domain>
---
Where, in the recipient address of bob@example.com, <user> is bob, <site> is Example and <domain> is example.com
When first run W32/Mytob-DH copies itself to <System>\wpwmgrs.exe.
The following registry entries are created to run wpwmgrs.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wpwmgrs
wpwmgrs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
wpwmgrs
wpwmgrs.exe
W32/Mytob-DH sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
|
