Panda Virus Alert: two new MytoB variants

- TruPrevent(TM) Technologies neutralize two new variants
of Mytob without previous identification -
Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

MADRID, June 2 2005 - According to PandaLabs, two new and potentially dangerous variants of the Mytob worms, -EC and EB-, are spreading via email around the world. The TruPrevent(TM) proactive detection technologies developed by Panda Software to detect and block unknown malware, have been effective in preventing attacks from this malicious code, so users who have these technologies installed on their computers have been protected from the outset, unlike those with traditional antivirus products, who would have to wait up to several hours for the update of the signature file.

In this case, the need to use proactive technologies such as TruPrevent(TM) is even more pressing, as these variants of Mytob are designed to prevent antivirus products installed on a computer from updating, and if successful will leave users unprotected against this threat. In order to block these updates, the worms modify the system HOSTS file.

When they run, these two malware variants terminate all types of processes to avoid being detected. They also open a backdoor on the computer to allow the entry of commands and files sent by a remote user through IRC channels, and therefore this multi-purpose malware is potentially very dangerous.

These worms employ the usual email techniques in order to spread: sending themselves to addresses that they get from certain files within the infected computer, and including the virus itself in a compressed ZIP attachment, in a message which is normally in English, warning of the closure of email accounts and asking the potential victim to open the attached ZIP file to continue using the supposed account.

"We are increasingly seeing new variants of malware that include both the termination of processes associated to antivirus products, and the blocking of the computer's communication with certain websites, such as those through which the antivirus is updated ", explains Luis Corrons, director of PandaLabs. For this reason, the barrier provided by proactive technologies is vital, as they don't need to be updated for every new example of malware in order to be effective. The idea is to be one step ahead in terms of antivirus protection, based on interception and prevention."

The effectiveness against new malware of traditional antiviruses depends on the reaction time of security companies and of users, and therefore when dealing with a rapidly spreading malicious code, the chances of a computer being infected -even with an updated antivirus installed- are very high. The solution to this problem involves using proactive solutions, such as TruPrevent(TM) Technologies, which detect and block unknown malware without having previously identified it.

According to Luis Corrons: "TruPrevent(TM) Technologies determine the presence of malware by analyzing its behavior. These innovative technologies monitor the action taken by an application, and if -collectively- they could be damaging to the system, it blocks them and sends the suspicious file to PandaLabs, where the potential threat is analyzed in-depth and if necessary the corresponding vaccine is generated. TruPrevent(TM) Technologies are not a substitute for traditional antiviruses but a compliment and correspond to the strategy of Panda Software of obtaining the highest possible levels of security against Internet threats using a combination of technologies.

"Since they were launched in August 2004 TruPrevent(TM) Technologies have detected more than 6000 examples of previously unknown malware. This also enables us to be the fastest in generating vaccines against new malware for our traditional antivirus solutions", concludes Corrons.

Panda Software's clients can already access the updates for installing the new TruPrevent(tm) Technologies along with their antivirus protection, providing a preventive layer of protection against new malware. For users with a different antivirus program installed, Panda TruPrevent(tm) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent(tm) Technologies is available at: www.pandasoftware.com/truprevent

In order to help as many users as possible scan and disinfect their computers, Panda Software offers Panda ActiveScan, free of charge, at http://www.pandasoftware.com.

For further information about the malicious code mentioned above, visit Panda Software's Virus Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/.

 

TrendMicro: WORM_MYTOB.AR & WORM_MYTOB.BI

Trend Micro raised two MYTOB variants to yellow alert status this week – WORM_MYTOB.AR and WORM_MYTOB.BI. These are the third and fourth variants of the ever-popular family of worms to reach the alert stage. Both worms are currently spreading in-the-wild. WORM_MYTOB.AR infects computers that run on Windows 98, ME, 2000, and XP. WORM_MYTOB.BI infects computers that run on Windows 98, ME, NT, 2000, and XP.

It has only been 90 days since antivirus experts detected the first variant of the MYTOB family of worms. Yet, since its detection on February 27, 2005, WORM_MYTOB has managed to register nearly 120 new variants and is responsible for more than 65,000 worldwide infections.

These worms are nearly identical to previous MYTOB variants, which use the classic social engineering technique of posing as an e-mail administrator to entice users to execute the attachment in the mail. The malware attempts to fool the user into thinking that the email is about the suspension of his/her email account. And, as with all other variants, these memory-resident worms propagate by sending a copy of themselves as an attachment within an email message, which they send to target recipients using their own Simple Mail Transfer Protocol (SMTP) engine.

The only difference between the “.AR” variant and the “.BI” variant is the name of the dropped file. But, there are three notable differences of “.AR” and “.BI”, versus their 115 MYTOB predecessors. These differences are:

* They drop a copy of themselves as LIEN VAN DE KELDER.EXE or LIEN VAN DE KELDERRR.EXE (note, the only difference between the dropped file in the “.AR” variant and the “.BI” variant is the addition of two “R’s” at the end of the file name in “.BI”) in the Windows system folder. Lien Van de Kelder is a popular Belgian actress.
* Upon execution, the worms drop spyware and adware onto the victims’ machine which contains a backdoor capability. The spyware, detected as TSPY_AGENT.H, tracks user preferences and could (potentially) track infection rates. The adware, detected as ADW_MEDTICKS.A, is a popular adware program “Media Tickets” (www.mediatickets.net). It has the ability to track what the user clicks on – and how often they do it – and can display pop-up ads. This adware also promises to pay 15 cents (USD) for every time a user clicks on the adware.
* They also open Internet Explorer (IE) to connect to different Web sites that install other spyware or adware programs currently available on host sites.

It is believed that these variants are actually intended as a testing ground for future variants that will likely take advantage of the monetary offer of the adware (the site referred to in this variant is not believed to be one of those sites – it was likely just written by a fan of Ms. Van De Kelder).

If you would like to scan your computer for WORM_MYTOB.AR, WORM_MYTOB.BI, or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_MYTOB.AR and WORM_MYTOB.BI are detected and cleaned by Trend Micro pattern file #2.651.00 and above.