|
 |
|
 |
| Saturday, February 04, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
3 |
 |
Members:
0 |
 |
Total:
3 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 03/31/2005 8:07 AM |
|
| What it is
MYTOB is a new email worm, which exploits a recent Windows update to spread if it manages to execute on a system. A major difference of this worm versus others is that it has mutated rapidly. A number of new versions are coming out daily, making it difficult for virus signatures to keep up. The hope by the manufacturer is that releasing new versions frequently, some will slip by the virus defenses of your typical user.
The worm exploits the security bulletin released earlier in the year (MS04-011) to spread from one infected machine to others on the network, as well as using it's own mail server to send out copies of itself. In extreme cases the worm may will send out enough copies to slow down your network. Those that have been faithfully updating their windows workstations will not be vulnerable to being infected over the net, but could still get the worm if they run the executable. The worm can infect any machine on the Windows 2000, 95, 98, ME, NT, 2003 or XP platforms. Subjects of the email will be one of the following: hello, hi, error, status, test, mail transaction failed, mail delivery system, server report, blank or random characters. Do not go on this list alone however, as mutations with different characteristics are literally coming out daily.
The worm once infected will send itself out to everyone in your address book, and will install trojan keylogging services and remote control services - allowing a distant user to gather information about you and take over your machine. Remember that lately the goal of worm writers have turned to gathering financial information to allow them to steal your identity.
What you should do
Maintain updated signature files, downloading updates daily for at least the next week. Symantec updates should be from Feb 27th for the original version, but later for new versions. McCafee DATs should be above 4438 (03/02), with the latest variants requiring 4457 (03/29). Be sure you have all windowsupdate patches applied - especially MS04-011. Be suspicious of attachments in email messages that might sneak through your defenses.
If you are infected, or suspect you are, you should run either the Symantec or McCafee removal tools, and thoroughly scan your system with system restore turned off.
Further references
Symantec reference: http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob@mm.html
McCafee Reference: http://vil.nai.com/vil/content/v_132158.htm
Symantec MYTOB removal tool: http://www.sarc.com/avcenter/venc/data/w32.mytob@mm.removal.tool.html
McCafee stinger: (at the date of this notice, Stinger does not remove MYTOB - watch for an update, or follow the removal instructions in the McCafee reference above).
Microsoft reference: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
This concluded this viruswarning notice.
Lee Drake
Aztek Computer Solutions, Inc.
274 N. Goodman St Suite B269
Rochester, NY 14607
the human side of computing
Email: ldrake@azcomputer.net
Web: www.azcomputer.net Office Phone: 585-242-2060
Fax number: 585-242-9441
|
|
|
|
|
Lee Drake
Posts:238
|
| 03/31/2005 8:31 AM |
|
| The above notice implies that the virus exploits a microsoft patch - where in fact it exploits a vulnerability fixed by the MS04-011 patch. I apologize for any confusion. Credit should go to Brett for spotting the problem. |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|