high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | July 2005 (3.95) |
| Protection available since | 14 May 2005 15:56:09 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Mytob-AZ is a mass-mailing worm and backdoor Trojan which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Mytob-AZ copies itself to <SYSTEM>\LienVandeKelder.exe.
W32/Mytob-AZ modifies the HOSTS file, changing the URL to IP mappings for selected websites, thus preventing normal access to these sites. W32/Mytob-AZ is a mass-mailing worm and backdoor Trojan which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Mytob-AZ copies itself to <SYSTEM>\LienVandeKelder.exe.
W32/Mytob-AZ creates the following registry entries so that the worm is run when a user logs on to Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
http://www.lienvandekelder.be
"LienVandeKelder.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
http://www.lienvandekelder.be
"LienVandeKelder.exe"
W32/Mytob-AZ attaches itself to emails with the following characteristics:
Subject lines:
*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Email Account Has Been Locked
Email Account Suspension
Your Email Account is Suspended For Security Reasons
Security Measures
Notice:***Your email account will be suspended***
Your email account access is restricted
Notie:***Last Warning***
Message texts:
"To safeguard your email account from possible termination, please see the attached file."
"Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal."
"We have suspended some of your email services, to resolve the problem you should read the attached document."
"please look at attached document."
"Account Information Are Attached!"
"Follow the instructions in the attachment."
Attached files will have the extension ZIP, EXE, PIF, SCR or CMD and one of the following basenames:
email-text
document_full
information
info-text
Your_details
IMPORTANT
email-info
email-doc
INFO
Occasionally the subject line, message text and attachment name will consist of a random set of characters.
W32/Mytob-AZ modifies the HOSTS file, changing the URL to IP mappings for selected websites, thus preventing normal access to these sites.
|
