W32/Mytob Virus

[graeme.hendry]

I have been having a lot of trouble with viruses on our network. Our
email gets scanned by MessageLabs and the statistics have showed that
we are sending the following viruses from the network:

W32.mytob.bf
W32.mytob.gen-mm
W32.mytob.mm

We are also receiving spoofed email from within the network so I know
this virus is present. I have tried various methods such as MCAfee
Virus Scan, Stinger and Symantec's Mytob Virus Removal Tool as well as
Microsoft Malicious software removal tool but still can't get rid of
it.

Does anyone know of how I can get rid of this or do they have any
suggestions ?

Thanks in advance

 

[Mat]

Dont worry bout it to much.Im getting same thing.Ive scanned with 5
different antivirus programs.Im deff clean.Its probably someone whos
infected with your email address.Not much you can do unless they clean there
pcs up,thats if they even bother to do virus scans.Ive been blocking em in
outlook express now.They still come through but go straight to delete
folder.I had same sorta trouble with swen when it first come out.However
thankfully i aint gettin 200+ a day lol..Regards Mat

 

[Mat]

I find it wrong really when those that bother to do virus scanning and
adaware scanning are the ones that suffer.I mean someone somewhere infected
causing problems for those who actually do take a intrest in keeping there
pcs clean from this sorta junk..

 

[Virus Guy]

I have been having a lot of trouble with viruses on our network.

Is that the one that comes in via e-mail where the "from:" address is
a spoof e-mail of your own domain (like "(e-mail address removed)" or
"(e-mail address removed)" or "(e-mail address removed)" ???

We've gotten a few of those so I added the above-mentioned e-mail
addresses to our e-mail server's blocked-list so any future attempts
for those e-mails to enter our network will be blocked. You might
want to do the same. I understand that there could be other addresses
(like "postmaster" and "Webmaster" which you could also block).

 

[Mat]

Yeah thats the one,Ive put em all on block like you said.However they still
come through but go straight to deleted items folder in Outlook
Expresss.Cheers the help

 

[Pablo Guildenstern]

@z14g2000cwz.googlegroups.com>,
(e-mail address removed) says...

I have been having a lot of trouble with viruses on our network. Our
email gets scanned by MessageLabs and the statistics have showed that
we are sending the following viruses from the network:

W32.mytob.bf
W32.mytob.gen-mm
W32.mytob.mm

We are also receiving spoofed email from within the network so I know
this virus is present. I have tried various methods such as MCAfee
Virus Scan, Stinger and Symantec's Mytob Virus Removal Tool as well as
Microsoft Malicious software removal tool but still can't get rid of
it.

Does anyone know of how I can get rid of this or do they have any
suggestions ?

Thanks in advance

You need to find the culprit machine(s) of course. Then a scan
from Safe Mode is usually enough, unless they have the very
newest variants. In which case:* Boot into Safe Mode (press f8 during power-up to get this
option)
* Run Regedit (type Regedit into the box provided by Start-
Run and hit Return)
* Find the key HKLM\Software\Microsoft\Windows\Current
Version\Run
* Delete any entry which has an http://... URL in it,
noting the filename it points to
* Delete any entry WINDOWS SYSTEM, noting the filename it
points to
* Do the same for the Run Services key a couple of entries
below the Run key
* Search the registry for the filename(s) noted above and
delete any entry containing it/them
* Find the key HKLM\SYSTEM\CurrentControlSet\Services
\SharedAccess
* Change the value of the Start entry from 4 to 2
* Close Regedit
* Delete the file(s) noted above (files you may find
include: xxx.exe, Lien.exe, "Lien vd Kelder.exe", 'Lien Van de
Kelder.exe', Lientjeuh.exe)
* Do a full antivirus scan of your C drive by starting your
antivirus software from the Start-Programs menu
* Check the Hosts file at C:\Windows\system32\drivers\etc -
the only entry starting "127.0.0.1" should be for "localhost",
any other 127.0.0.1 lines can be deleted. Leave anything else
alone!
* Re-boot

Don't forget to apply the 2x4 cluestick to the head of whoever
opened an unsolicited attachment.

 

[graeme.hendry]

There is about 40 machines on the network though, as well as 6 servers.
It probably is on the email server so is there such a thing as safe
mode for servers ? If not is it safe to go ahead and delete the
registry key's as mentioned above ? The reson this is so important as
all the users think that it is a big virus and keep putting pressure on
me to sort it out

 

[Pablo Guildenstern]

@z14g2000cwz.googlegroups.com>,
(e-mail address removed) says...

There is about 40 machines on the network though, as well as 6 servers.
It probably is on the email server so is there such a thing as safe
mode for servers ? If not is it safe to go ahead and delete the
registry key's as mentioned above ? The reson this is so important as
all the users think that it is a big virus and keep putting pressure on
me to sort it out

It's very unlikely to be on the server(s). You get infected by
opening an attachment: human agency is normally required.
You ought to be able to find the infected machines by examining
the oldest ip address in the headers of the mail they send out.
They may also be trying to hit an IRC server on port 4512, so
you could watch for that.

I don't think it's that big a virus, but it does generate a lot
of network traffic, which is a pain. We had about 150 idiots
open the attachment here, despite all the warnings we've given
over the years.
Symantec keep updating the removal tool, so make sure you have
the latest version. Sophos have one too - search for Resolve at
www.sophos.com: doesn't list may variants though.

 

[Norman L. DeForest]

Is that the one that comes in via e-mail where the "from:" address is
a spoof e-mail of your own domain (like "(e-mail address removed)" or
"(e-mail address removed)" or "(e-mail address removed)" ???

We've gotten a few of those so I added the above-mentioned e-mail
addresses to our e-mail server's blocked-list so any future attempts
for those e-mails to enter our network will be blocked. You might
want to do the same. I understand that there could be other addresses
(like "postmaster" and "Webmaster" which you could also block).

Here's the list of role addresses forged by Mytob that I have collected:

1. admin
2. administrator
3. info
4. mail
5. register
6. service
7. staff
8. support
9. webmaster

I have personally enountered all except "staff" which has been reported by
a third party.

 

[Mat]

Yeah ive had all them myself.Touch wood im gettin a lot less of them
today,than recent days.Perhaps tomorrow i wont get any lol