Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Trouble cleaning network environment of Mytob variants

Posted on 2006-11-01
7
Medium Priority
?
258 Views
Last Modified: 2010-04-11
We have a small domain running two Servers and 10 workstations. The Servers are Windows 2003, a DC running AD and the other box running Exchange 2003. We are using Microsoft Antigen 9.0 to scan mail and Symatec 10.0.2.2000 Virus scanner on every box in the domain. The workstations are all running XP Pro SP2.

Antigen keeps finding about 25 emails a day that appear to be locally generated, appearing as from postmaster or admin@ourdomain.com sending to randomly generated first name  @ourdomain.com. We have run full scans on every workstation and server with our Symatec AV and the Microtrend System Clean tool. We have followed the removal instructions and looked for any entries in the host file or the extra Reg keys that are supposed to be generated by the Mytob worm on every workstation and server.  The only thing that we can find is the files that Antigen has quarantined on the exchange server.

The variants we are finding are:

W32.mytob.ea@mm
W32.mytob.kl.worm
W32.mytob.TO

We have even turned off all the workstations over the weekend to make sure it was not the desktops.

We have also used Spybot and the "free" version of Ad-aware on all devices.

Any suggestions would be most appreciated !!
0
Comment
Question by:firstamnla
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 
LVL 23

Expert Comment

by:phototropic
ID: 17870365
According to the Trend Micro site:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EJ&VSect=Sn

there is a Microsoft patch for the security vunerability which the worm exploits:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
0
 

Author Comment

by:firstamnla
ID: 17882614
Thanks for the post ,but, we have already run the Microtrend Sysclean tool that your link refers to on every workstation and server, it did not find anything.  We have looked for the changes in files, processes and registry entries that the Microtrend article mentions and can not find any of these symptons. We have this patch installed as well.  We have also used Process Exporer to see if maybe Task Manager was compromised, but, both show the same processes running.
0
 
LVL 6

Accepted Solution

by:
Mnf earned 1400 total points
ID: 17937845
Please download this utility from Symantic, This tool is designed to remove infections of all types of the Mytop
http://securityresponse.symantec.com/avcenter/FixMytob.exe 
plese follow all this steps:
disconnect the computer from the network and the Internet (this is very improtant coz the virus will spread from one pc to other after you clean it)
turn off System Restore
Save the file to a convenient location, such as your Windows desktop.
Close all the running programs.
Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.

The Removal Tool does the following:
Terminates the associated processes
Deletes the associated files
Deletes the registry values added by the threat
Repairs the hosts file

http://www.symantec.com/security_response/writeup.jsp?docid=2005-022812-5045-99
0
 
LVL 6

Expert Comment

by:Mnf
ID: 17937879
i forget one thing
don't turn the network or the internet connection, else you finishing the scan on all your workstaion and the server.
after you make sure that all for your pcs are clean, then connect your pc to server and to the netwrok

Best Regard
0
 

Author Comment

by:firstamnla
ID: 17938685
Thanks Mnf, I will give this a try over a weekend when we can get everything offline at once. I will post the results when this is done.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question