Email Worm Alert Worm.Win32.Mytob.bd | W32.Mytob.DA@mm

Well Im sure theres a dozen ways to do this but I received an email form [email protected] saying...

Quote:

---

We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

---

The attachment is labeled "email-info.zip" which contains 1 file cleverly labeled

PHP Code:

---

email-info.htm                                                                      .exe 


---

Seems theyve inserted lots of spaces so that you wont see the actual extension. I have scanned with Symantic which is updated and has found nothing. I have also scanned with AVG which only flags the fact that it has a hidden extension and nothing more. Ive spoken to a rep and it seems this has just started and may be a growing problem to be aware of anything similar then. I am currently taking a look on my Virtual Machine now...

Well I though it was odd that two scanners came up with nothing so I tried a different on also...

Kaspersky Online Virus Scanner

Quote:

---

Detection added Jun 02 2005
Behavior Net-Worm

Attention!
Kaspersky Anti-Virus has detected a virus in the file you have submitted.
Scanned file: email-info.zip
~ .exe - infected by Net-Worm.Win32.Mytob.bd

Statistics:
Known viruses: 132116 Updated: 02-06-2005
File size (Kb): 62 Virus bodies: 1
Files: 1 Warnings: 0
Archives: 1 Suspicious: 0

---

Closest thing Ive found on Symantec site

Quote:

---

Discovered on: June 02, 2005
Last Updated on: June 02, 2005 10:31:40 AM

W32.Mytob.DA@mm is a mass-mailing worm that has back door capabilities and uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.

Also Known As: Win32.Mytob.DT [Computer Associates], Net-Worm.Win32.Mytob.bd [Kaspersky Lab], W32/Mytob.gen@MM [McAfee], W32/Mytob-P [Sophos], WORM_MYTOB.BY [Trend Micro]

Type: Worm
Infection Length: 62,464 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

---

http://[email protected]

It seems thats the one as it matches the name at Kapersky but hasnt been updated as of yet.

NOD32 found it. :01:

http://img140.echo.cx/img140/8657/my...hot68md.th.jpg

that was it stopping the file from being created by MSN.

as a rar file NOD32 didn't see it until i tried to extract.