Trouble cleaning network environment of Mytob variants
Posted on 2006-11-01
We have a small domain running two Servers and 10 workstations. The Servers are Windows 2003, a DC running AD and the other box running Exchange 2003. We are using Microsoft Antigen 9.0 to scan mail and Symatec 10.0.2.2000 Virus scanner on every box in the domain. The workstations are all running XP Pro SP2.
Antigen keeps finding about 25 emails a day that appear to be locally generated, appearing as from postmaster or firstname.lastname@example.org sending to randomly generated first name @ourdomain.com. We have run full scans on every workstation and server with our Symatec AV and the Microtrend System Clean tool. We have followed the removal instructions and looked for any entries in the host file or the extra Reg keys that are supposed to be generated by the Mytob worm on every workstation and server. The only thing that we can find is the files that Antigen has quarantined on the exchange server.
The variants we are finding are:
We have even turned off all the workstations over the weekend to make sure it was not the desktops.
We have also used Spybot and the "free" version of Ad-aware on all devices.
Any suggestions would be most appreciated !!