Mytob worm

[jon]

I seam to have picked up a worm about 3 weeks ago. It is
sending out 1 or 2 random emails a day. Fortunatly, gmail
is returning the messages to me and not forwarding. I am
running MS Antispyware, Xoftspy Antispyware, ZoneAlarm Pro
firewall and Fprot antivirus. None of these fine products
are able to detect this worm. Does anyone know of how to
get rid of this thing, short of replacing the hard drive?
HELP!!!!

Below is the text of the email that is being sent. It also
contains 2 attachments, 1 is a text file and the other is
a 43kb zip file.

The original message was received at Sat, 9 Jul 2005
06:11:28 -0400 from [208.253.224.254]

----- The following addresses had permanent fatal errors --
--- <[email protected]>
(reason: 550 5.7.1 Content-Policy reject msg: Message
rejected. Infected with Worm.Mytob.GH; S377959AbVGIKLa)

----- Transcript of session follows ----- ... while
talking to [216.219.253.216]:<<< 550 5.7.1 Content-Policy reject msg: Message rejected.
Infected with Worm.Mytob.GH; S377959AbVGIKLa
554 5.0.0 Service unavailable

 

[Tom Emmelot]

Hello Jon,

Look here:

http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=Mytob.GH&alt=Mytob.GH

Regards >*< TOM >*<

(e-mail address removed) schreef:

I seam to have picked up a worm about 3 weeks ago. It is
sending out 1 or 2 random emails a day. Fortunatly, gmail
is returning the messages to me and not forwarding. I am
running MS Antispyware, Xoftspy Antispyware, ZoneAlarm Pro
firewall and Fprot antivirus. None of these fine products
are able to detect this worm. Does anyone know of how to
get rid of this thing, short of replacing the hard drive?
HELP!!!!

Below is the text of the email that is being sent. It also
contains 2 attachments, 1 is a text file and the other is
a 43kb zip file.

The original message was received at Sat, 9 Jul 2005
06:11:28 -0400 from [208.253.224.254]

----- The following addresses had permanent fatal errors --
--- <[email protected]>
(reason: 550 5.7.1 Content-Policy reject msg: Message
rejected. Infected with Worm.Mytob.GH; S377959AbVGIKLa)

----- Transcript of session follows ----- ... while
talking to [216.219.253.216]:

<<< 550 5.7.1 Content-Policy reject msg: Message rejected.
Infected with Worm.Mytob.GH; S377959AbVGIKLa
554 5.0.0 Service unavailable

 

[AndyManchesta]

Hi Jon

The problem with Mytob is the amount of variants going
round there is a removal tool from Symantec for Mytob but
if you have any of the variants which have come out in
the last 3 weeks the removal tool may not clean it.

Give it a try in safe mode and see if it clears the
problem

http://securityresponse.symantec.com/avcenter/FixMytob.exe

Download to desktop,Reboot into safe mode(reboot and keep
tapping F8 then choose safe mode from the list) then
double click the fix tool to run it.

If it clears the worm then clear your system restore
points and create a fresh restore to remove any traces of
the infection from the restore area.Post back if you need
any help with that

If the removal tool doesnt clear it can you post the full
contents of the emails that are being sent from your pc
as this could give a clue to which Variant it is,The
removal tool will clean all these variants

W32.Mytob@mm
W32.Mytob.B@mm
W32.Mytob.L@mm
W32.Mytob.M@mm
W32.Mytob.R@mm
W32.Mytob.U@mm
W32.Mytob.V@mm
W32.Mytob.AG@mm
W32.Mytob.AH@mm
W32.Mytob.AS@mm
W32.Mytob.BE@mm
W32.Mytob.BV@mm
W32.Mytob.CF@mm
W32.Mytob.CH@mm
W32.Mytob.CU@mm
W32.Mytob.CY@mm
W32.Mytob.DA@mm
W32.Mytob.DB@mm
W32.Mytob.DF@mm
W32.Mytob.DJ@mm
W32.Mytob.DL@mm
W32.Mytob.DP@mm
W32.Mytob.DV@mm
W32.Mytob.EB@mm
W32.Mytob.EC@mm
W32.Mytob.ED@mm
W32.Mytob.EE@mm
W32.Mytob.EG@mm

But the bad news is there is at least another 30 variants
that have been released in the last few weeks

Another way of finding out the variant is by running some
online virus scanners :

Trend Micro

http://housecall.antivirus.com/

E Trust

http://www3.ca.com/virusinfo/virusscan.aspx

Rav

http://www.ravantivirus.com/scan/

Panda

http://www.pandasoftware.com/activescan/

Bitdefender

http://www.bitdefender.com/scan8/ie.html

Symantecs Security Check & Virus scanner

http://security.symantec.com/default.asp?
productid=symhome&langid=ie&venid=sym




Good Luck

Andy

 

[Bill Sanderson]

Don't assume that you are infected simply because you are seeing bounces or
returns with your email address on them.

It is good to sit up and take notice, and do a full scan with an updated
antivirus.

Check that F-secure is up to date, and detects this bug (I'm quite sure that
it does)--do a scan, and trust that result.

If you are in doubt, use a competitors online scanner as a check

http://housecall.trendmicro.com

If these both come through clean, I'd stop worrying about it. Many current
viruses forge email addresses, using a variety of sources, or simply making
them up.


--

I seam to have picked up a worm about 3 weeks ago. It is
sending out 1 or 2 random emails a day. Fortunatly, gmail
is returning the messages to me and not forwarding. I am
running MS Antispyware, Xoftspy Antispyware, ZoneAlarm Pro
firewall and Fprot antivirus. None of these fine products
are able to detect this worm. Does anyone know of how to
get rid of this thing, short of replacing the hard drive?
HELP!!!!

Below is the text of the email that is being sent. It also
contains 2 attachments, 1 is a text file and the other is
a 43kb zip file.

The original message was received at Sat, 9 Jul 2005
06:11:28 -0400 from [208.253.224.254]

----- The following addresses had permanent fatal errors --
--- <[email protected]>
(reason: 550 5.7.1 Content-Policy reject msg: Message
rejected. Infected with Worm.Mytob.GH; S377959AbVGIKLa)

----- Transcript of session follows ----- ... while
talking to [216.219.253.216]:<<< 550 5.7.1 Content-Policy reject msg: Message rejected.
Infected with Worm.Mytob.GH; S377959AbVGIKLa
554 5.0.0 Service unavailable