Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0415 -- Trend Micro medium risk virus alert
Increased Mytob mass mailer activity
2 June 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Publisher: Trend Micro
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Reduced Security
Access: Remote/Unauthenticated
Original Bulletin:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYTOB.BI
- --------------------------BEGIN INCLUDED TEXT--------------------
As of May 31, 2005 9:11 AM PDT (Pacific Daylight Time), TrendLabs has declared
a Medium Risk Virus Alert to control the spread of WORM_MYTOB.BI. TrendLabs has
received several infection reports indicating that this malware is spreading in
Belgium, Japan, Korea, India, United States, United Kingdom, and Germany.
Similar to other MYTOB variants, this memory-resident worm propagates by
sending a copy of itself as an attachment (file size is around 29,868 to 29,882
bytes) to an email message, which it sends to target recipients using its own
Simple Mail Transfer Protocol (SMTP) engine. Upon execution, it drops a copy of
itself using the file name LIEN VAN DE KELDERRR.EXE in the Windows system
folder.
The email message it sends has the following details:
Subject: (any of the following)
- {Random}
- *DETECTED* Online User Violation
- *IMPORTANT* Please Validate Your Email Account
- *IMPORTANT* Your Account Has Been Locked
- *WARNING* Your Email Account Will Be Closed
- Account Alert
- Email Account Suspension
- Important Notification
- Notice of account limitation
- Notice: **Last Warning**
- Notice:***Your email account will be suspended***
- Security measures
- Your email account access is restricted
- Your Email Account is Suspended For Security Reasons
Message body: (any of the following)
- Once you have completed the form in the attached file , your account records
will not be interrupted and will continue as normal.
- please look at attached document.
- Please read the attached document and follow it's instructions.
- Please see the attachement.
- The original message has been included as an attachment.
- To safeguard your email account from possible termination, please see the
attached file.
- To unblock your email account acces, please see the attachement.
- We attached some important information regarding your account.
- We have suspended some of your email services, to resolve the problem you
should read the attached document.
- We regret to inform you that your account has been suspended due to the
violation of our site policy, more info is attached.
Attachment: (any combination of the following file names and extensions)
File name:
- {random}
- account-details
- document
- document_full
- email-doc
- email-info
- info
- information
- info-text
- instructions
- your_details
Extension:
- BAT
- CMD
- EXE
- PIF
- SCR
- ZIP
It gathers target email addresses from the Temporary Internet Files folder,
Windows address book (WAB), as well as from files with certain extension names.
It may also generate email addresses by using a list of names and any of the
domain names of the previously gathered addresses.
This worm also takes advantage of the LSASS vulnerability to propagate. For
more information about the said vulnerability, please refer to the following
Microsoft Web page:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
It opens a random port, allowing a remote user to access and perform malicious
commands on affected machines. The said routine provides the remote user
virtual control over affected systems, thus compromising system security.
Moreover, it prevents affected users from accessing several antivirus and
security Web sites by redirecting the connection to the local machine. It also
terminates several processes.
This worm also downloads a file, which Trend Micro detects as TSPY_AGENT.H.
The downloaded file then drops an adware that Trend Micro detects as
ADW_MEDTICKS.A.
It affects Windows 98, ME, NT, 2000, and XP.
TrendLabs will be releasing the following EPS deliverables:
TMCM Outbreak Prevention Policy 178 (Uploaded)
Control Pattern Release 2.650.05 (Uploaded)
Official Pattern Release 2.651.00 (ETA 1 hour)
Damage Cleanup Template 603.03 (Uploaded)
Official DCT 604 (ETA 1 hour 30 minutes)
For more information on WORM_MYTOB.BI, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYTOB.BI
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQp6SWSh9+71yA2DNAQL82AP+LoUNDAE94VtGE8OEi2bObM0qpZO+BxgE
hksCqr5V0G73GJaIDlRwyjQQxJ2QhJpkd8uiPMjH/sjuIOUt2Xnn1TFuj2efB941
E/p8/twmlKFzyAESv7JyV2RN+5BXoOuwpZ+cLNaRTHlQSmlUIw4A700T7d3HaDM7
pDm8y1zh2xE=
=2ZUu
-----END PGP SIGNATURE-----