Solved

Trouble cleaning network environment of Mytob variants

Posted on 2006-11-01
7
254 Views
Last Modified: 2010-04-11
We have a small domain running two Servers and 10 workstations. The Servers are Windows 2003, a DC running AD and the other box running Exchange 2003. We are using Microsoft Antigen 9.0 to scan mail and Symatec 10.0.2.2000 Virus scanner on every box in the domain. The workstations are all running XP Pro SP2.

Antigen keeps finding about 25 emails a day that appear to be locally generated, appearing as from postmaster or admin@ourdomain.com sending to randomly generated first name  @ourdomain.com. We have run full scans on every workstation and server with our Symatec AV and the Microtrend System Clean tool. We have followed the removal instructions and looked for any entries in the host file or the extra Reg keys that are supposed to be generated by the Mytob worm on every workstation and server.  The only thing that we can find is the files that Antigen has quarantined on the exchange server.

The variants we are finding are:

W32.mytob.ea@mm
W32.mytob.kl.worm
W32.mytob.TO

We have even turned off all the workstations over the weekend to make sure it was not the desktops.

We have also used Spybot and the "free" version of Ad-aware on all devices.

Any suggestions would be most appreciated !!
0
Comment
Question by:firstamnla
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 
LVL 23

Expert Comment

by:phototropic
ID: 17870365
According to the Trend Micro site:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EJ&VSect=Sn

there is a Microsoft patch for the security vunerability which the worm exploits:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
0
 

Author Comment

by:firstamnla
ID: 17882614
Thanks for the post ,but, we have already run the Microtrend Sysclean tool that your link refers to on every workstation and server, it did not find anything.  We have looked for the changes in files, processes and registry entries that the Microtrend article mentions and can not find any of these symptons. We have this patch installed as well.  We have also used Process Exporer to see if maybe Task Manager was compromised, but, both show the same processes running.
0
 
LVL 6

Accepted Solution

by:
Mnf earned 350 total points
ID: 17937845
Please download this utility from Symantic, This tool is designed to remove infections of all types of the Mytop
http://securityresponse.symantec.com/avcenter/FixMytob.exe 
plese follow all this steps:
disconnect the computer from the network and the Internet (this is very improtant coz the virus will spread from one pc to other after you clean it)
turn off System Restore
Save the file to a convenient location, such as your Windows desktop.
Close all the running programs.
Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.

The Removal Tool does the following:
Terminates the associated processes
Deletes the associated files
Deletes the registry values added by the threat
Repairs the hosts file

http://www.symantec.com/security_response/writeup.jsp?docid=2005-022812-5045-99
0
 
LVL 6

Expert Comment

by:Mnf
ID: 17937879
i forget one thing
don't turn the network or the internet connection, else you finishing the scan on all your workstaion and the server.
after you make sure that all for your pcs are clean, then connect your pc to server and to the netwrok

Best Regard
0
 

Author Comment

by:firstamnla
ID: 17938685
Thanks Mnf, I will give this a try over a weekend when we can get everything offline at once. I will post the results when this is done.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question