MyTob Email Virus
Recent versions of this virus purport from one of
your ISP's administrative accounts claiming there is a problem
with your account and that a prompt response is required.
The response requested usually means providing personal
information about yourself that can may be used for identity
theft.
Vulnerable Systems
This worm only affects users running Windows 95, 98, NT, Me,
2000 or XP.
Impact
This virus scans a variety of files on your computer looking
for email addresses. Then it mass mails itself to these "found"
email addresses, thereby spreading itself to other computers.
The virus also attempts to disable virus protection by terminating
virus programs running on the infected computer.
Solutions
See Microsoft's Windows
Update
web site for easy updating of your Microsoft software. Install a virus
scanner to provide additional protection. You may need to start your
computer in safe mode to successfully run your virus scanner. Check
your virus software documentation for details on how to scan and remove
virus infections.
For more information
Check the CERT Coordination
Center
for more information on this worm. Or check
SVPAL's virus page for me general
virus protection information.
US Cert Advisory
W32/Mytob Virus
added June 10, 2005 | updated June 10, 2005
US-CERT has received reports of three new variants of the W32/Mytob
virus. These variants, 'W32/Mytob.DP', 'W32/Mytob.DV', and
'W32/Mytob.DY', propagate via email and contain backdoor
functionality. As with many viruses, these variants rely on social
engineering to propagate. Specifically, the user must click on a link
or execute an attachment. In the case of W32/Mytob.DY, once a system
is infected, it may continue to propagate by exploiting several
vulnerabilities in Microsoft Windows. More information about these
vulnerabilities is available in the following US-CERT Vulnerability
Notes:
VU#753212 -
Microsoft Windows 2000 LSASS fails to properly handle certain LDAP
messages
VU#568148 - Microsoft Windows RPC vulnerable to buffer overflow
Microsoft has released patches to address these vulnerabilities in Microsoft
Security Bulletin MS03-026 and Microsoft
Security Bulletin MS04-011.
Although each variant has different functionality, the list
below contains a subset of the common characteristics of these
variants. Once a system is infected, the malicious code may:
- Modify the system registry to prevent the Windows XP's built-in firewall from starting
- Attempt to harvest email addresses from a configurable list of file extensions
- Utilize its own SMTP engine to send itself to the harvested email addresses
- Modify the HOSTS file to prevent the computer from accessing certain security and commercial web sites.
- Attempt to terminate a number of running processes, some of which are security related
- Open a backdoor on the system that allows the attacker to communicate remotely with the system via IRC. This may allow the attacker to upload and execute arbitrary code on the infected machine.
US-CERT strongly encourages users to install anti-virus software, and
keep its virus signature files up-to-date.
Additionally, US-CERT strongly encourages users not to follow unknown
links, even if sent by a known and trusted source.
You may also wish to visit the US-CERT's
computer virus resources page.
|
|
