Trend Micro Virus Alert - WORM_MYTOB.ED

Dear Trend Micro customer,

As of May 9, 2005 4:30 AM PDT (Pacific Daylight Time/GMT -8:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_MYTOB.ED. TrendLabs has received several infection reports indicating that it is spreading in Japan and Australia.

Like earlier WORM_MYTOB variants, this worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine.

The email it sends out has the following details:

Subject: (any of the following)
- Error
- hello
- Here is your documents.
- Mail Delivery System
- Mail Transaction Failed
- Re: Thank you for delivery
- Server Report
- something for you
- Status

Subject: (any of the following)
- *IMPORTANT* Please Validate Your Email Account
- *IMPORTANT* Your Account Has Been Locked
- Email Account Suspension
- Notice: **Last Warning**
- Notice:***Your email account will be suspended***
- Security measures
- Your email account access is restricted
- Your Email Account is Suspended For Security Reasons

Message Body: (any of the following)
- Account Information Are Attached!
- Once you have completed the form in the attached file , your account records will not be interrupted and will continue
as normal.
- please look at attached document.
- Please see the attachement.
- To safeguard your email account from possible termination, please see the attached file.
- To unblock your email account acces, please see the attachement.
- We have suspended some of your email services, to resolve the problem you should read the attached document.

Attachment: (any of the following file names)
- email-doc
- email-info
- email-text
- information
- your_details
- document_full
- IMPORTANT
- info-text
- {random}

(any of the following extensions)
- .exe
- .pif
- .scr
- .zip

It gathers target email addresses from the Temporary Internet folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses. This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security. Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 172 - uploaded
Official Pattern Release 2.619.00 - currently being uploaded
Damage Cleanup Template 590 - ETA is 30 minutes

For more information on WORM_MYTOB.ED, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYTOB.ED.

 

Symantec: W32.Mydoom.BO@mm

This is Symantec's writeup on the worm: W32.Mydoom.BO@mm
It caused an early-morning liveupdate, to provide protection.

Tech Details: http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.bo@mm.html#technicaldetails