Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 265
  • Last Modified:

Trouble cleaning network environment of Mytob variants

We have a small domain running two Servers and 10 workstations. The Servers are Windows 2003, a DC running AD and the other box running Exchange 2003. We are using Microsoft Antigen 9.0 to scan mail and Symatec 10.0.2.2000 Virus scanner on every box in the domain. The workstations are all running XP Pro SP2.

Antigen keeps finding about 25 emails a day that appear to be locally generated, appearing as from postmaster or admin@ourdomain.com sending to randomly generated first name  @ourdomain.com. We have run full scans on every workstation and server with our Symatec AV and the Microtrend System Clean tool. We have followed the removal instructions and looked for any entries in the host file or the extra Reg keys that are supposed to be generated by the Mytob worm on every workstation and server.  The only thing that we can find is the files that Antigen has quarantined on the exchange server.

The variants we are finding are:

W32.mytob.ea@mm
W32.mytob.kl.worm
W32.mytob.TO

We have even turned off all the workstations over the weekend to make sure it was not the desktops.

We have also used Spybot and the "free" version of Ad-aware on all devices.

Any suggestions would be most appreciated !!
0
firstamnla
Asked:
firstamnla
  • 2
  • 2
1 Solution
 
phototropicCommented:
According to the Trend Micro site:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EJ&VSect=Sn

there is a Microsoft patch for the security vunerability which the worm exploits:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
0
 
firstamnlaAuthor Commented:
Thanks for the post ,but, we have already run the Microtrend Sysclean tool that your link refers to on every workstation and server, it did not find anything.  We have looked for the changes in files, processes and registry entries that the Microtrend article mentions and can not find any of these symptons. We have this patch installed as well.  We have also used Process Exporer to see if maybe Task Manager was compromised, but, both show the same processes running.
0
 
MnfCommented:
Please download this utility from Symantic, This tool is designed to remove infections of all types of the Mytop
http://securityresponse.symantec.com/avcenter/FixMytob.exe 
plese follow all this steps:
disconnect the computer from the network and the Internet (this is very improtant coz the virus will spread from one pc to other after you clean it)
turn off System Restore
Save the file to a convenient location, such as your Windows desktop.
Close all the running programs.
Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.

The Removal Tool does the following:
Terminates the associated processes
Deletes the associated files
Deletes the registry values added by the threat
Repairs the hosts file

http://www.symantec.com/security_response/writeup.jsp?docid=2005-022812-5045-99
0
 
MnfCommented:
i forget one thing
don't turn the network or the internet connection, else you finishing the scan on all your workstaion and the server.
after you make sure that all for your pcs are clean, then connect your pc to server and to the netwrok

Best Regard
0
 
firstamnlaAuthor Commented:
Thanks Mnf, I will give this a try over a weekend when we can get everything offline at once. I will post the results when this is done.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now