New (?) virus being circulated via e-mail (Mytob or Mydoom)

New (?) virus being circulated via e-mail (Mytob or Mydoom)
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Anti-Virus Software    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
New (?) virus being circulated via e-mail (Mytob or Mydoom) Virus Guy 07-09-2005
Posted by Virus Guy on July 9, 2005, 10:08 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Within the past few hours I got an e-mail that came from
210.214.168.103 (dialpool-210-214-168-103.maa.sify.net) which is
Satyam Infoway Pvt.Ltd. a "Value Added Network service provider in
India".

Here is the body of the e-mail:

-------------------
Subject: Your new account password is approved

Dear user (valid account name within my-domain),

You have successfully updated the password of your (my-domain)
account.

Please view the attached file for more information.

If you did not authorize this change or if you need assistance with
your account, please contact (my-domain) customer service at:
support@(my-domain).com

Thank you for using (my-domain)!
The (My-domain) Support Team

Attachment: Scan Complete (0 Virus Found)
+++ (my-domain) Antivirus - www.(my-domain).com

updated-password.zip

Name: updated-password.zip
Type: Zip Compressed Data (application/x-zip-compressed)
Encoding: base64
-----------------------

Inside the zip attachment is a single file called
"updated-password.txt.exe". I have edited the file name. In the
original name, there are about 20 spaces (or more) between ".txt" and
".exe".

Clearly they are using pretty strong social engineering tactics to get
the recipient to open the mail (and their string-parser didn't fuck up
on them too).

Some AV software is calling it Mytob.??, where ?? is FB or QO or bi or
HE. It's also being called MyDoom.58 by clam. Here are the results:

This is a report processed by VirusTotal on 07/10/2005 at 03:37:07
(CET) after scanning the file "updated-password.txt.exe" file.

Antivirus Version Update Result

AntiVir 6.31.0.9 07.09.2005 no virus found
AVG 718 07.08.2005 I-Worm/Mytob.QO
Avira 6.31.0.9 07.09.2005 no virus found
BitDefender 7.0 07.09.2005 Win32.Worm.Mytob.FB
ClamAV devel-20050501 07.08.2005 Worm.Mytob.GH
DrWeb 4.32b 07.08.2005 Win32.HLLM.MyDoom.58
eTrust-Iris 7.1.194.0 07.08.2005 no virus found
eTrust-Vet 11.9.1.0 07.08.2005 no virus found
Fortinet 2.36.0.0 07.09.2005 suspicious
Ikarus 2.32 07.08.2005 no virus found
Kaspersky 4.0.2.24 07.10.2005 Net-Worm.Win32.Mytob.bi
McAfee 4531 07.08.2005 no virus found
NOD32v2 1.1164 07.08.2005 Win32/Mytob.HE
Norman 5.70.10 07.07.2005 W32/Suspicious_M.gen
Panda 8.02.00 07.09.2005 no virus found
Sybari 7.5.1314 07.10.2005 Net-Worm.Win32.Mytob.bi
Symantec 8.0 07.09.2005 no virus found
TheHacker 5.8.2.069 07.10.2005 no virus found
VBA32 3.10.4 07.09.2005 Net-Worm.Win32.Mytob.bi

I've verified that Norton (my version of NAV 2002) is not detecting a
threat from this file. The corporate version of NAV running on our
mail server also didn't see this as a threat.

Using a text editor, I can see the following readable text fragments:

Winsock, kernel32.dll LoadLibraryA GetProcAddress

(that's about it).

The file is 40,147 bytes, and has today's date (5:02:36 pm).


Posted by Beauregard T. Shagnasty on July 10, 2005, 4:10 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Virus Guy wrote:
> Within the past few hours I got an e-mail that came from
> 210.214.168.103 (dialpool-210-214-168-103.maa.sify.net) which is
> Satyam Infoway Pvt.Ltd. a "Value Added Network service provider in
> India".

This is the same one I was getting, referenced in the thread:
"How to notify an infected broadband user"
My web host's a-v dubbed it "Worm.Mytob.T-2"

--
-bts
-This space intentionally left blank.


Similar ThreadsPosted
W32/Mytob Virus June 16, 2005, 5:21 am
Mytob.GR July 6, 2005, 1:36 pm
AVG email scanner hangs/continues to scan endlessly after email download November 10, 2006, 10:21 am
Another Mytob variant November 27, 2005, 8:56 am
McAfee Email Proxy error with Eudora Email-crash! August 10, 2006, 4:18 pm
Win32/Mytob.Eb Worm June 14, 2005, 1:36 pm
Newer Mytob variant September 7, 2005, 12:42 pm
Re: Newer Mytob variant September 7, 2005, 2:53 pm
Email checking Virus August 11, 2006, 11:12 am
Email virus question December 4, 2007, 6:31 pm

The site map in XML format XML site map

Contact Us | Privacy Policy