Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - October 9, 2005

by roddy32 / October 9, 2005 3:02 AM PDT

W32/Mytob-EV

Aliases Net-Worm.Win32.Mytob.bi

Type Worm

W32/Mytob-EV is a mass-mailing worm and IRC backdoor Trojan.
W32/Mytob-EV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Mytob-EV can spread by sending itself as an email attachment to email addresses harvested from the infected computer.
W32/Mytob-EV spoofs the sender's email address so that the sent email appears to be from the same domain from one of the following users:
admin
administrator
info
mail
register
service
support
webmaster
For example if sending itself to name@example.com, W32/Mytob-EV might send the email as if from admin@example.com.
Emails sent by the worm have characteristics from the following:
Subject lines:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
or random characters.
Message text - one of the following:
Dear user <UserName>,
You have successfully updated the password of your <domain> account.
If you did not authorize this change or if you need assistance with your account, please contact <domain> customer service at: <sender@domain>
Thank you for using <domain>!
The <domaim> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>
Dear user <UserName>,
It has come to our attention that your <domain> User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using <domain>!
The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>
Dear <domain> Member,
We have temporarily suspended your email account <UserEmailAddress>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your <domain> account.
Sincerely,The <domain> Support Team
+++ Attachment: No Virus (Clean)
+++ <domain> Antivirus - www.<domain>
Dear <domain> Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The <domain> Support Team
+++ Attachment: No Virus found
+++ <domain> Antivirus - www.<domain>
Attachment name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report
or random characters
File extension:
pif
scr
exe
cmd
bat
zip
The zip file will contain the worm with double extension. The first extension will be one of doc, htm, txt followed by spaces and the second extension is exe, scr or pif.
W32/Mytob-EV attempts to terminate a large number of processes related to security and anti-virus programs.
W32/Mytob-EV also modifies the Windows hosts file, in order to prevent access to certain websites.

http://www.sophos.com/virusinfo/analyses/w32mytobev.html

Discussion is locked
You are posting a reply to: VIRUS ALERTS - October 9, 2005
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - October 9, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/RPSteal-A
by roddy32 / October 9, 2005 3:16 AM PDT

Aliases
Trojan-PSW.Win32.Stealer.i
PWS-RemotePassSteal

Type Spyware Trojan

Troj/RPSteal-A is a password-stealing Trojan for the Windows platform.
Troj/RPSteal-A logs keypresses and passwords. Stolen information may be sent by email to a remote user.

http://www.sophos.com/virusinfo/analyses/trojrpsteala.html

Collapse -
W32/Codbot-AC
by roddy32 / October 9, 2005 6:01 AM PDT

Aliases
Backdoor.Win32.Codbot.az
W32/Sdbot.worm.gen.w
W32.Spybot.Worm
WORM_SPYBOT.AJS

Type Worm

W32/Codbot-AC is a worm and IRC backdoor Trojan for the Windows platform.
W32/Codbot-AC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

http://www.sophos.com/virusinfo/analyses/w32codbotac.html

Collapse -
W32/Gobot-H
by roddy32 / October 9, 2005 6:03 AM PDT
Collapse -
Troj/Dropper-BH
by roddy32 / October 9, 2005 6:07 AM PDT
Collapse -
W32/Gobot-J
by roddy32 / October 9, 2005 6:11 AM PDT

Aliases
Backdoor.Win32.Gobot.t
W32/Backdoor.BAD

Type Worm

W32/Gobot-J is a worm and IRC backdoor for the Windows platform.
W32/Gobot-J may spread to other network computers infected with worms of the W32/MyDoom family or by sending itself to other IRC users by DCC.

http://www.sophos.com/virusinfo/analyses/w32gobotj.html

Collapse -
Troj/PhClick-A
by roddy32 / October 9, 2005 6:19 AM PDT
Collapse -
Troj/PhClick-B
by roddy32 / October 9, 2005 6:21 AM PDT
Collapse -
Troj/Rider-Z
by roddy32 / October 9, 2005 6:23 AM PDT

Aliases
Exploit.HTML.Mht
Exploit-MhtRedir.gen
JS_DLOADER.P

Type Trojan

Troj/Rider-Z is a Trojan that attempts to download further malicious code.
The Trojan exploits a vulnerability associated with some versions of Microsoft Internet Explorer to load a malicious script (or HTML page containing a malicious script) via the DATA attribute of an OBJECT element.

http://www.sophos.com/virusinfo/analyses/trojriderz.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.