:: supportLINK ::

W32.Mytob.LZ@mm Nov 23, 2005
Aliases:	W32.Mytob.FZ@mm
Type:	Worm
Description:	When W32.Mytob.LZ@mm is executed, it performs the following actions: 1. Copies itself as %System%\wID32.exe. Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). 2. Adds the value: "WINDOWS ID SYSTEM" = "wID32.exe" to the registry subkeys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices so that it runs every time Windows starts. 3. Gathers email addresses from the Windows Address Book and from the following locations: * %Windir%\Temporary Internet Files * %UserProfile%\Local Settings\Temporary Internet Files * %System% Note: * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000). * %UserProfile% is a variable that refers to the current user`s profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP). 4. Gathers email addresses from files with the following extensions on all local drives from C to Y: * .adb * .asp * .cgi * .dbx * .htm * .html * .jsp * .php * .pl * .sht * .tbb * .txt * .wab * .xml 5. Uses its own SMTP engine to send itself to the email addresses that it finds. The worm may also spoof a From address using one of the addresses found on the compromised computer. The email has the following characteristics: From: (One of the following) * service@[DOMAIN NAME] * administrator@[DOMAIN NAME] * info@[DOMAIN NAME] * register@[DOMAIN NAME] * mail@[DOMAIN NAME] * webmaster@[DOMAIN NAME] * admin@[DOMAIN NAME] * support@[DOMAIN NAME] Subject: One of the following: * One of the following: * Your Account is Suspended * DETECTED Online User Violation * Your Account is Suspended for Security Reasons * Warning Message: Your services near to be closed. * Important Notification * Members Support * Security measures * Email Account Suspension * Notice of account limitation Message: One of the following: * Dear user [USER NAME], It has come to our attention that your [DOMAIN NAME] User Profile ( x ) records are out of date. For further details see the at tached document.Thank you for using [DOMAIN NAME]! The [DOMAIN NAME] Support Team +++ Attachment: No Virus (Clean) +++ [DOMAIN NAME] Antivirus - www.[DOMAIN NAME] * Dear [DOMAIN NAME] Member, We have temporarily suspended your email account [USER NAME]. This might be due to either of the following reasons: 1. A recent change in your personal information (i.e. change of address). 2. Submiting invalid information during the initial sign up process. 3. An innability to accurately verify your selected option of subscription due to an internal error within our processors. See the details to reactivate your [USER NAME] account. Sincerely,The [DOMAIN NAME] Support Team +++ Attachment: No Virus (Clean) +++ [DOMAIN NAME] Antivirus - www.[DOMAIN NAME] * Dear [DOMAIN NAME] Member, Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service. If you choose to ignore our request, you leave us no choice but to cancel your membership. Virtually yours, The [DOMAIN NAME] Support Team +++ Attachment: No Virus found +++ [DOMAIN NAME] Antivirus - www.[DOMAIN NAME] Attachment: One of the following: * important-details * account-details * email-details * account-info * document * readme * account-report with one of the following extensions: * .pif * .scr * .exe * .cmd * .bat The attachment may also be a .zip file containing a copy of the worm with two file extensions. The copy of the worm will have .doc, .htm, or .txt as the first extension, and .exe, .pif, or .scr as the second extension. 6. Avoids sending itself to email addresses that contain any of the following strings: * .gov * .mil * abuse * accoun * acketst * admin * anyone * arin. * avp * borlan * bsd * bugs * ca * certific * contact * example * feste * fido * foo. * fsf. * gnu * gold-certs * google * gov. * help * hotmail * iana * ibm.com * icrosof * icrosoft * ietf * info * inpris * isc.o * isi.e * kernel * linux * listserv * math * me * mit.e * mozilla * msn. * mydomai * no * nobody * nodomai * noone * not * nothing * ntivi * page * panda * pgp * postmaster * privacy * rating * rfc-ed * ripe. * root * ruslis * samples * secur * sendmail * service * site * smp * soft * somebody * someone * sopho * spam * submit * support * syma * tanford.e * the.bat * unix * usenet * utgers.ed * webmaster * www * you * your 7. The worm may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers: * mx. * mail. * smtp. * mx1. * mxs. * mail1. * relay. * ns. * gate. 8. Spreads by exploiting the The Microsoft Windows Local Security Authority Service Remote Buffer Overflow vulnerability (as described in Microsoft Security Bulletin MS04-011). 9. Opens a back door and connects to an IRC server on the complete.rt89318.info domain on TCP port 7999 and listens for commands. The commands allow a remote attacker to perform a variety of actions on the compromised computer. 10. Blocks access to several security-related Web sites by adding the following entries to the hosts file: 127.0.0.1 avp.com 127.0.0.1 ca.com 127.0.0.1 customer.symantec.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 mast.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 nai.com 127.0.0.1 networkassociates.com 127.0.0.1 rads.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 sophos.com 127.0.0.1 symantec.com 127.0.0.1 trendmicro.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 viruslist.com 127.0.0.1 www.avp.com 127.0.0.1 www.ca.com 127.0.0.1 www.f-secure.com 127.0.0.1 www.grisoft.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.mcafee.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.my-etrust.com 127.0.0.1 www.nai.com 127.0.0.1 www.networkassociates.com 127.0.0.1 www.sophos.com 127.0.0.1 www.symantec.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.viruslist.com 11. Attempts to end the following processes, some of which may be security-related: * ACKWIN32.EXE * ADAWARE.EXE * ADVXDWIN.EXE * AGENTSVR.EXE * AGENTW.EXE * ALERTSVC.EXE * ALEVIR.EXE * ALOGSERV.EXE * AMON9X.EXE * ANTI-TROJAN.EXE * ANTIVIRUS.EXE * ANTS.EXE * APIMONITOR.EXE * APLICA32.EXE * APVXDWIN.EXE * ARR.EXE * ATCON.EXE * ATGUARD.EXE * ATRO55EN.EXE * ATUPDATER.EXE * ATWATCH.EXE * AU.EXE * AUPDATE.EXE * AUTO-PROTECT.NAV80TRY.EXE * AUTODOWN.EXE * AUTOTRACE.EXE * AUTOUPDATE.EXE * AVCONSOL.EXE * AVE32.EXE * AVGCC32.EXE * AVGCTRL.EXE * AVGNT.EXE * AVGSERV.EXE * AVGSERV9.EXE * AVGUARD.EXE * AVGW.EXE * AVKPOP.EXE * AVKSERV.EXE * AVKSERVICE.EXE * AVKWCTl9.EXE * AVLTMAIN.EXE * AVNT.EXE * AVP.EXE * AVP32.EXE * AVPCC.EXE * AVPDOS32.EXE * AVPM.EXE * AVPTC32.EXE * AVPUPD.EXE * AVSCHED32.EXE * AVSYNMGR.EXE * AVWINNT.EXE * AVWUPD.EXE * AVWUPD32.EXE * AVWUPSRV.EXE * AVXMONITOR9X.EXE * AVXMONITORNT.EXE * AVXQUAR.EXE * BACKWEB.EXE * BARGAINS.EXE * BD_PROFESSIONAL.EXE * BEAGLE.EXE * BELT.EXE * BIDEF.EXE * BIDSERVER.EXE * BIPCP.EXE * BIPCPEVALSETUP.EXE * BISP.EXE * BLACKD.EXE * BLACKICE.EXE * BLSS.EXE * BOOTCONF.EXE * BOOTWARN.EXE * BORG2.EXE * BPC.EXE * BRASIL.EXE * BS120.EXE * BUNDLE.EXE * BVT.EXE * CCAPP.EXE * CCEVTMGR.EXE * CCPXYSVC.EXE * CDP.EXE * CFD.EXE * CFGWIZ.EXE * CFIADMIN.EXE * CFIAUDIT.EXE * CFINET.EXE * CFINET32.EXE * CLAW95CF.EXE * CLEAN.EXE * CLEANER.EXE * CLEANER3.EXE * CLEANPC.EXE * CLICK.EXE * CMD.EXE * CMD32.EXE * CMESYS.EXE * CMGRDIAN.EXE * CMON016.EXE * CONNECTIONMONITOR.EXE * CPD.EXE * CPF9X206.EXE * CPFNT206.EXE * CTRL.EXE * CV.EXE * CWNB181.EXE * CWNTDWMO.EXE * DATEMANAGER.EXE * DCOMX.EXE * DEFALERT.EXE * DEFSCANGUI.EXE * DEFWATCH.EXE * DEPUTY.EXE * DIVX.EXE * DLLCACHE.EXE * DLLREG.EXE * DOORS.EXE * DPF.EXE * DPFSETUP.EXE * DPPS2.EXE * DRWATSON.EXE * DRWEB32.EXE * DRWEBUPW.EXE * DSSAGENT.EXE * DVP95.EXE * DVP95_0.EXE * ECENGINE.EXE * EFPEADM.EXE * EMSW.EXE * ENT.EXE * ESAFE.EXE * ESCANHNT.EXE * ESCANV95.EXE * ESPWATCH.EXE * ETHEREAL.EXE * ETRUSTCIPE.EXE * EVPN.EXE * EXANTIVIRUS-CNET.EXE * EXE.AVXW.EXE * EXPERT.EXE * EXPLORE.EXE * F-PROT.EXE * F-PROT95.EXE * F-STOPW.EXE * FAMEH32.EXE * FAST.EXE * FCH32.EXE * FIH32.EXE * FINDVIRU.EXE * FIREWALL.EXE * FNRB32.EXE * FP-WIN.EXE * FP-WIN_TRIAL.EXE * FPROT.EXE * FRW.EXE * FSAA.EXE * FSAV.EXE * FSAV32.EXE * FSAV530STBYB.EXE * FSAV530WTBYB.EXE * FSAV95.EXE * FSGK32.EXE * FSM32.EXE * FSMA32.EXE * FSMB32.EXE * GATOR.EXE * GBMENU.EXE * GBPOLL.EXE * GENERICS.EXE * GMT.EXE * GUARD.EXE * GUARDDOG.EXE * HACKTRACERSETUP.EXE * HBINST.EXE * HBSRV.EXE * HOTACTIO.EXE * HOTPATCH.EXE * HTLOG.EXE * HTPATCH.EXE * HWPE.EXE * HXDL.EXE * HXIUL.EXE * IAMAPP.EXE * IAMSERV.EXE * IAMSTATS.EXE * IBMASN.EXE * IBMAVSP.EXE * ICLOADNT.EXE * ICMON.EXE * ICSUPP95.EXE * ICSUPPNT.EXE * IDLE.EXE * IEDLL.EXE * IEDRIVER.EXE * IEXPLORER.EXE * IFACE.EXE * IFW2000.EXE * INETLNFO.EXE * INFUS.EXE * INFWIN.EXE * INIT.EXE * INTDEL.EXE * INTREN.EXE * IOMON98.EXE * ISTSVC.EXE * JAMMER.EXE * JDBGMRG.EXE * JEDI.EXE * KAVLITE40ENG.EXE * KAVPERS40ENG.EXE * KAVPF.EXE * KAZZA.EXE * KEENVALUE.EXE * KERIO-PF-213-EN-WIN.EXE * KERIO-WRL-421-EN-WIN.EXE * KERIO-WRP-421-EN-WIN.EXE * KERNEL32.EXE * KILLPROCESSSETUP161.EXE * LAUNCHER.EXE * LDNETMON.EXE * LDPRO.EXE * LDPROMENU.EXE * LDSCAN.EXE * LNETINFO.EXE * LOADER.EXE * LOCALNET.EXE * LOCKDOWN.EXE * LOCKDOWN2000.EXE * LOOKOUT.EXE * LORDPE.EXE * LSETUP.EXE * LUALL.EXE * LUAU.EXE * LUCOMSERVER.EXE * LUINIT.EXE * LUSPT.EXE * MAPISVC32.EXE * MCAGENT.EXE * MCMNHDLR.EXE * MCSHIELD.EXE * MCTOOL.EXE * MCUPDATE.EXE * MCVSRTE.EXE * MCVSSHLD.EXE * MD.EXE * MFIN32.EXE * MFW2EN.EXE * MFWENG3.02D30.EXE * MGAVRTCL.EXE * MGAVRTE.EXE * MGHTML.EXE * MGUI.EXE * MINILOG.EXE * MMOD.EXE * MONITOR.EXE * MOOLIVE.EXE * MOSTAT.EXE * MPFAGENT.EXE * MPFSERVICE.EXE * MPFTRAY.EXE * MRFLUX.EXE * MSAPP.EXE * MSBB.EXE * MSBLAST.EXE * MSCACHE.EXE * MSCCN32.EXE * MSCMAN.EXE * MSCONFIG.EXE * MSDM.EXE * MSDOS.EXE * MSIEXEC16.EXE * MSINFO32.EXE * MSLAUGH.EXE * MSMGT.EXE * MSMSGRI32.EXE * MSSMMC32.EXE * MSSYS.EXE * MSVXD.EXE * MU0311AD.EXE * MWATCH.EXE * N32SCANW.EXE * NAV.EXE * NAVAP.NAVAPSVC.EXE * NAVAPSVC.EXE * NAVAPW32.EXE * NAVDX.EXE * NAVLU32.EXE * NAVNT.EXE * NAVSTUB.EXE * NAVW32.EXE * NAVWNT.EXE * NC2000.EXE * NCINST4.EXE * NDD32.EXE * NEC.EXE * NEOMONITOR.EXE * NEOWATCHLOG.EXE * NETARMOR.EXE * NETD32.EXE * NETINFO.EXE * NETMON.EXE * NETSCANPRO.EXE * NETSPYHUNTER-1.2.EXE * NETSTAT.EXE * NETUTILS.EXE * NISSERV.EXE * NISUM.EXE * NMAIN.EXE * NOD32.EXE * NORMIST.EXE * NORTON_INTERNET_SECU_3.0_407.EXE * NOTSTART.EXE * NPF40_TW_98_NT_ME_2K.EXE * NPFMESSENGER.EXE * NPROTECT.EXE * NPSCHECK.EXE * NPSSVC.EXE * NSCHED32.EXE * NSSYS32.EXE * NSTASK32.EXE * NSUPDATE.EXE * NT.EXE * NTRTSCAN.EXE * NTVDM.EXE * NTXconfig.EXE * NUI.EXE * NUPGRADE.EXE * NVARCH16.EXE * NVC95.EXE * NVSVC32.EXE * NWINST4.EXE * NWSERVICE.EXE * NWTOOL16.EXE * OLLYDBG.EXE * ONSRVR.EXE * OPTIMIZE.EXE * OSTRONET.EXE * OTFIX.EXE * OUTPOST.EXE * OUTPOSTINSTALL.EXE * OUTPOSTPROINSTALL.EXE * PADMIN.EXE * PANIXK.EXE * PATCH.EXE * PAVCL.EXE * PAVPROXY.EXE * PAVSCHED.EXE * PAVW.EXE * PCFWALLICON.EXE * PCIP10117_0.EXE * PCSCAN.EXE * PDSETUP.EXE * PERISCOPE.EXE * PERSFW.EXE * PERSWF.EXE * PF2.EXE * PFWADMIN.EXE * PGMONITR.EXE * PINGSCAN.EXE * PLATIN.EXE * POP3TRAP.EXE * POPROXY.EXE * POPSCAN.EXE * PORTDETECTIVE.EXE * PORTMONITOR.EXE * POWERSCAN.EXE * PPINUPDT.EXE * PPTBC.EXE * PPVSTOP.EXE * PRIZESURFER.EXE * PRMT.EXE * PRMVR.EXE * PROCDUMP.EXE * PROCESSMONITOR.EXE * PROCEXPLORERV1.0.EXE * PROGRAMAUDITOR.EXE * PROPORT.EXE * PROTECTX.EXE * PSPF.EXE * PURGE.EXE * QCONSOLE.EXE * QSERVER.EXE * RAPAPP.EXE * RAV7.EXE * RAV7WIN.EXE * RAV8WIN32ENG.EXE * RAY.EXE * RB32.EXE * RCSYNC.EXE * REALMON.EXE * REGED.EXE * REGEDIT.EXE * REGEDT32.EXE * RESCUE.EXE * RESCUE32.EXE * RRGUARD.EXE * RSHELL.EXE * RTVSCAN.EXE * RTVSCN95.EXE * RULAUNCH.EXE * RUN32DLL.EXE * RUNDLL.EXE * RUNDLL16.EXE * RUXDLL32.EXE * SAFEWEB.EXE * SAHAGENT.EXE * SAVE.EXE * SAVENOW.EXE * SBSERV.EXE * SC.EXE * SCAM32.EXE * SCAN32.EXE * SCAN95.EXE * SCANPM.EXE * SCRSCAN.EXE * SETUPVAMEEVAL.EXE * SETUP_FLOWPROTECTOR_US.EXE * SFC.EXE * SGSSFW32.EXE * SH.EXE * SHELLSPYINSTALL.EXE * SHN.EXE * SHOWBEHIND.EXE * SMC.EXE * SMS.EXE * SMSS32.EXE * SOAP.EXE * SOFI.EXE * SPERM.EXE * SPF.EXE * SPHINX.EXE * SPOLER.EXE * SPOOLCV.EXE * SPOOLSV32.EXE * SPYXX.EXE * SREXE.EXE * SRNG.EXE * SS3EDIT.EXE * SSGRATE.EXE * SSG_4104.EXE * ST2.EXE * START.EXE * STCLOADER.EXE * SUPFTRL.EXE * SUPPORT.EXE * SUPPORTER5.EXE * SVC.EXE * SVCHOSTC.EXE * SVCHOSTS.EXE * SVSHOST.EXE * SWEEP95.EXE * SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE * SYMPROXYSVC.EXE * SYMTRAY.EXE * SYSEDIT.EXE * SYSTEM.EXE * SYSTEM32.EXE * SYSUPD.EXE * TASKMG.EXE * TASKMGR.EXE * TASKMO.EXE * TASKMON.EXE * TAUMON.EXE * TBSCAN.EXE * TC.EXE * TCA.EXE * TCM.EXE * TDS-3.EXE * TDS2-NT.EXE * TEEKIDS.EXE * TFAK.EXE * TFAK5.EXE * TGBOB.EXE * TITANIN.EXE * TITANINXP.EXE * TRACERT.EXE * TRICKLER.EXE * TRJSCAN.EXE * TRJSETUP.EXE * TROJANTRAP3.EXE * TSADBOT.EXE * TVMD.EXE * TVTMD.EXE * UNDOBOOT.EXE * UPDAT.EXE * UPDATE.EXE * UPGRAD.EXE * UTPOST.EXE * VBCMSERV.EXE * VBCONS.EXE * VBUST.EXE * VBWIN9X.EXE * VBWINNTW.EXE * VCSETUP.EXE * VET32.EXE * VET95.EXE * VETTRAY.EXE * VFSETUP.EXE * VIR-HELP.EXE * VIRUSMDPERSONALFIREWALL.EXE * VNLAN300.EXE * VNPC3000.EXE * VPC32.EXE * VPC42.EXE * VPFW30S.EXE * VPTRAY.EXE * VSCAN40.EXE * VSCENU6.02D30.EXE * VSCHED.EXE * VSECOMR.EXE * VSHWIN32.EXE * VSISETUP.EXE * VSMAIN.EXE * VSMON.EXE * VSSTAT.EXE * VSWIN9XE.EXE * VSWINNTSE.EXE * VSWINPERSE.EXE * W32DSM89.EXE * W9X.EXE * WATCHDOG.EXE * WEBDAV.EXE * WEBSCANX.EXE * WEBTRAP.EXE * WFINDV32.EXE * WHOSWATCHINGME.EXE * WIMMUN32.EXE * WIN-BUGSFIX.EXE * WIN32.EXE * WIN32US.EXE * WINACTIVE.EXE * WINDOW.EXE * WINDOWS.EXE * WININETD.EXE * WININIT.EXE * WININITX.EXE * WINLOGIN.EXE * WINMAIN.EXE * WINNET.EXE * WINPPR32.EXE * WINRECON.EXE * WINSERVN.EXE * WINSSK32.EXE * WINSTART.EXE * WINSTART001.EXE * WINTSK32.EXE * WINUPDATE.EXE * WKUFIND.EXE * WNAD.EXE * WNT.EXE * WRADMIN.EXE * WRCTRL.EXE * WSBGATE.EXE * WUPDATER.EXE * WUPDT.EXE * WYVERNWORKSFIREWALL.EXE * XPF202EN.EXE * ZAPRO.EXE * ZAPSETUP3001.EXE * ZATUTOR.EXE * ZONALM2601.EXE * ZONEALARM.EXE * _AVP32.EXE * _AVPCC.EXE * _AVPM.EXE
Solution:	The following instructions pertain to all current and recent antivirus products 1. Disable System Restore (Windows Me/XP). 2. Remove all the entries that the risk added to the hosts file. 3. Update the virus definitions. 4. Run a full system scan and delete all the files detected. 5. Delete any values added to the registry.