Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Failing to pinpoint source of MyTob Variants


  • Please log in to reply
1 reply to this topic

#1 Marcola

Marcola

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 24 June 2005 - 02:17 PM

I am failing miserably at finding the source of the MyTob virus on my corporate network.

All servers are running either Windows 2000 AS/SP4 or Windows Server 2003. All workstations are running XP Professional/SP1 or SP2.

Here are a few things I've done already.

1. I have run network file searches for the list of dropped files and came up empty.
2. I have run security scans using Tenable NewT Security Scanner. Nothing out of the ordinary shows.
3. I have run a port scanner to see if I can locate an SMTP engine running on a machine that it shouldn't BUT it's evident that the SMTP engine built into MyTob doesn't show on port 25.
4. Implemented Norton's AV SMTP Inbound/Outbound scanning on my Exchange servers. Below is a sample of the hundreds of notices I am getting.

=====================================================
Location of the infected item: SMTP
Sender of the infected item: service@ultimus.com Intended Recipient of the infected item: joe@ultimus.com Subject of the message: YOUR PASSWORD HAS BEEN SUCCESSFULLY UPDATED The attachment "email-password.zip" was marked for Deletion for the following reasons:

Virus W32.Mytob.ED@mm was found in email-password.htm.exe

This was done due to the following Symantec Mail Security settings:
Policy: Standard
SubPolicy: Virus SubPolicy
Rule: Mass-Mailer Virus Rule
=====================================================


What is the easiest way to find the source of the virus. I know it's either internal on our LAN or it's on one of our VPN nodes.

Any help would be appreciated!

BC AdBot (Login to Remove)

 


m

#2 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:05:40 AM

Posted 24 June 2005 - 05:41 PM

According to this Symantec/Norton page:

Opens a back door by connecting to an IRC channel #html2 on the irc.blackcarder.net domain on TCP port 4512 and listens for commands


Also:

Copies itself as %System%\wincfg32.exe.


Symantec also offers a specific tool to remove the virus. I hope that helps.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users