Solved

Trouble cleaning network environment of Mytob variants

Posted on 2006-11-01
7
249 Views
Last Modified: 2010-04-11
We have a small domain running two Servers and 10 workstations. The Servers are Windows 2003, a DC running AD and the other box running Exchange 2003. We are using Microsoft Antigen 9.0 to scan mail and Symatec 10.0.2.2000 Virus scanner on every box in the domain. The workstations are all running XP Pro SP2.

Antigen keeps finding about 25 emails a day that appear to be locally generated, appearing as from postmaster or admin@ourdomain.com sending to randomly generated first name  @ourdomain.com. We have run full scans on every workstation and server with our Symatec AV and the Microtrend System Clean tool. We have followed the removal instructions and looked for any entries in the host file or the extra Reg keys that are supposed to be generated by the Mytob worm on every workstation and server.  The only thing that we can find is the files that Antigen has quarantined on the exchange server.

The variants we are finding are:

W32.mytob.ea@mm
W32.mytob.kl.worm
W32.mytob.TO

We have even turned off all the workstations over the weekend to make sure it was not the desktops.

We have also used Spybot and the "free" version of Ad-aware on all devices.

Any suggestions would be most appreciated !!
0
Comment
Question by:firstamnla
  • 2
  • 2
7 Comments
 
LVL 23

Expert Comment

by:phototropic
ID: 17870365
According to the Trend Micro site:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EJ&VSect=Sn

there is a Microsoft patch for the security vunerability which the worm exploits:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
0
 

Author Comment

by:firstamnla
ID: 17882614
Thanks for the post ,but, we have already run the Microtrend Sysclean tool that your link refers to on every workstation and server, it did not find anything.  We have looked for the changes in files, processes and registry entries that the Microtrend article mentions and can not find any of these symptons. We have this patch installed as well.  We have also used Process Exporer to see if maybe Task Manager was compromised, but, both show the same processes running.
0
 
LVL 6

Accepted Solution

by:
Mnf earned 350 total points
ID: 17937845
Please download this utility from Symantic, This tool is designed to remove infections of all types of the Mytop
http://securityresponse.symantec.com/avcenter/FixMytob.exe
plese follow all this steps:
disconnect the computer from the network and the Internet (this is very improtant coz the virus will spread from one pc to other after you clean it)
turn off System Restore
Save the file to a convenient location, such as your Windows desktop.
Close all the running programs.
Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.

The Removal Tool does the following:
Terminates the associated processes
Deletes the associated files
Deletes the registry values added by the threat
Repairs the hosts file

http://www.symantec.com/security_response/writeup.jsp?docid=2005-022812-5045-99
0
 
LVL 6

Expert Comment

by:Mnf
ID: 17937879
i forget one thing
don't turn the network or the internet connection, else you finishing the scan on all your workstaion and the server.
after you make sure that all for your pcs are clean, then connect your pc to server and to the netwrok

Best Regard
0
 

Author Comment

by:firstamnla
ID: 17938685
Thanks Mnf, I will give this a try over a weekend when we can get everything offline at once. I will post the results when this is done.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now