Email Worm Alert Worm.Win32.Mytob.bd | W32.Mytob.DA@mm [Archive]

View Full Version : Email Worm Alert Worm.Win32.Mytob.bd | W32.Mytob.DA@mm

RealitY

06-02-2005, 06:14 PM

Well Im sure theres a dozen ways to do this but I received an email form [email protected] saying...

We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

The attachment is labeled "email-info.zip" which contains 1 file cleverly labeled

email-info.htm .exe
Seems theyve inserted lots of spaces so that you wont see the actual extension. I have scanned with Symantic which is updated and has found nothing. I have also scanned with AVG which only flags the fact that it has a hidden extension and nothing more. Ive spoken to a rep and it seems this has just started and may be a growing problem to be aware of anything similar then. I am currently taking a look on my Virtual Machine now...

RealitY

06-02-2005, 06:33 PM

Well I though it was odd that two scanners came up with nothing so I tried a different on also...

Kaspersky Online Virus Scanner

Detection added Jun 02 2005
Behavior Net-Worm

Attention!
Kaspersky Anti-Virus has detected a virus in the file you have submitted.
Scanned file: email-info.zip
~ .exe - infected by Net-Worm.Win32.Mytob.bd

Statistics:
Known viruses: 132116 Updated: 02-06-2005
File size (Kb): 62 Virus bodies: 1
Files: 1 Warnings: 0
Archives: 1 Suspicious: 0

Closest thing Ive found on Symantec site

Discovered on: June 02, 2005
Last Updated on: June 02, 2005 10:31:40 AM

W32.Mytob.DA@mm is a mass-mailing worm that has back door capabilities and uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.

Also Known As: Win32.Mytob.DT [Computer Associates], Net-Worm.Win32.Mytob.bd [Kaspersky Lab], W32/Mytob.gen@MM [McAfee], W32/Mytob-P [Sophos], WORM_MYTOB.BY [Trend Micro]

Type: Worm
Infection Length: 62,464 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XPhttp://securityresponse.symantec.com/avcenter/venc/data/[email protected]

It seems thats the one as it matches the name at Kapersky but hasnt been updated as of yet.

tesco

06-02-2005, 07:27 PM

NOD32 found it. :01:

http://img140.echo.cx/img140/8657/myscreenshot68md.th.jpg (http://img140.echo.cx/my.php?image=myscreenshot68md.jpg)

that was it stopping the file from being created by MSN.

as a rar file NOD32 didn't see it until i tried to extract.