W32/Mytob.HI ??



roberto
07-09-2005, 10:50 PM
A friend of mine doesn't know how to get rid of this VARIANT of Mytob worm.
He is a server administrator and several employees are complaining about the
several e mails with the worm the receive everyday at every hour.He says
that the removal tools he found on internet seem like they can't remove this
variant.

My question is...if he want to remove this MANUALLY he must use the same
procedure to get rid of the other variants?? Whats the difference between
this variant HI and the others??

Thanks in advance

Robert
CUBA

David H. Lipman
07-09-2005, 10:50 PM
From: "roberto" <ralplavner@HotPOP.com>

| A friend of mine doesn't know how to get rid of this VARIANT of Mytob worm.
| He is a server administrator and several employees are complaining about the
| several e mails with the worm the receive everyday at every hour.He says
| that the removal tools he found on internet seem like they can't remove this
| variant.
|
| My question is...if he want to remove this MANUALLY he must use the same
| procedure to get rid of the other variants?? Whats the difference between
| this variant HI and the others??
|
| Thanks in advance
|
| Robert
| CUBA
|

Roberto:

The question is what AV software identified this variant ? There is a naming convention
problem in the industry and while the name may be same for different vendors, the variant
suffix can be different. Then there is the problem where the same infector could have a
different name by different vendors.

Usually a new variant means an alteration in the infection methodology. This could mean a a
EXE in a ZIP file instead of just send ing a EXE file or a new EXE name or a variation in
the coding of the infector.

Have your "friend" perform the following on the affected platform. which provides scanners
for; Mcafee, Trend and Sophos.



Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Trafton
07-09-2005, 10:50 PM
Roberto,

It's frankly hard to say what the differences are between this and other
Mytob variants. As you can probably surmise from the name (.HI), there
have been a lot of them and most of them lack descriptions. This also
probably varies depending on what antivirus program detected it.

From your message, it isn't entirely clear whether or not any computers
are infected. If you are just receiving email messages with the worm,
there is little that can be done other than to block those with a
gateway spam filter. However, if there is reason to believe a computer
has been infected, you will need an antivirus program. If he is a
server administrator, I do hope he is running one - can you ask him
which one?

Sincerely,

Benjamin Johnstone-Anderson
Microsoft MVP, Windows Security
Security Manifest - http://www.msmvps.com/trafton/

roberto wrote:
> A friend of mine doesn't know how to get rid of this VARIANT of Mytob worm.
> He is a server administrator and several employees are complaining about the
> several e mails with the worm the receive everyday at every hour.He says
> that the removal tools he found on internet seem like they can't remove this
> variant.
>
> My question is...if he want to remove this MANUALLY he must use the same
> procedure to get rid of the other variants?? Whats the difference between
> this variant HI and the others??
>
> Thanks in advance
>
> Robert
> CUBA
>
>
>
>

Trafton
07-09-2005, 10:50 PM
Oops, David! Sorry. Didn't intend to accidentally poach here...my
synchronization seems to be out of whack and I just got his message
while I've had yours for hours. My apologies about that...

Ben

David H. Lipman wrote:
> From: "roberto" <ralplavner@HotPOP.com>
>
> | A friend of mine doesn't know how to get rid of this VARIANT of Mytob worm.
> | He is a server administrator and several employees are complaining about the
> | several e mails with the worm the receive everyday at every hour.He says
> | that the removal tools he found on internet seem like they can't remove this
> | variant.
> |
> | My question is...if he want to remove this MANUALLY he must use the same
> | procedure to get rid of the other variants?? Whats the difference between
> | this variant HI and the others??
> |
> | Thanks in advance
> |
> | Robert
> | CUBA
> |
>
> Roberto:
>
> The question is what AV software identified this variant ? There is a naming convention
> problem in the industry and while the name may be same for different vendors, the variant
> suffix can be different. Then there is the problem where the same infector could have a
> different name by different vendors.
>
> Usually a new variant means an alteration in the infection methodology. This could mean a a
> EXE in a ZIP file instead of just send ing a EXE file or a new EXE name or a variation in
> the coding of the infector.
>
> Have your "friend" perform the following on the affected platform. which provides scanners
> for; Mcafee, Trend and Sophos.
>
>
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
> http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
> simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
> viruses and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode. This
> way all the components can be downloaded from each AV vendor’s web site.
> On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
> On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
> menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
> through your FireWall to allow them to download the needed AV vendor related files.
>
> * * * Please report back your results * * *
>
>
>

roberto
07-09-2005, 10:50 PM
I guess he has tried with everything or better say ALMOST EVERYTHING.

I posted "my question" here assuming if, he is a server administrator, he
must know what to do....so, if he has the AV updated on the server theres
should be no reason for this....

Anyway, I provided him the NOD32 removal tool (it says could fix ALL MYTOB
VARIANTS) ....I have not recieve from him any report yet....problably he
could finally get rid of this worm.


"David H. Lipman" <DLipman~nospam~@Verizon.Net> escribió en el mensaje
news:u0EQZ3PfFHA.3960@TK2MSFTNGP14.phx.gbl...
> From: "roberto" <ralplavner@HotPOP.com>
>
> | A friend of mine doesn't know how to get rid of this VARIANT of Mytob
worm.
> | He is a server administrator and several employees are complaining about
the
> | several e mails with the worm the receive everyday at every hour.He says
> | that the removal tools he found on internet seem like they can't remove
this
> | variant.
> |
> | My question is...if he want to remove this MANUALLY he must use the same
> | procedure to get rid of the other variants?? Whats the difference
between
> | this variant HI and the others??
> |
> | Thanks in advance
> |
> | Robert
> | CUBA
> |
>
> Roberto:
>
> The question is what AV software identified this variant ? There is a
naming convention
> problem in the industry and while the name may be same for different
vendors, the variant
> suffix can be different. Then there is the problem where the same
infector could have a
> different name by different vendors.
>
> Usually a new variant means an alteration in the infection methodology.
This could mean a a
> EXE in a ZIP file instead of just send ing a EXE file or a new EXE name or
a variation in
> the coding of the infector.
>
> Have your "friend" perform the following on the affected platform. which
provides scanners
> for; Mcafee, Trend and Sophos.
>
>
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter {
> http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart
scripts, one Link
> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and
WGET.EXE. It will
> simplify the process of using up to 3 different Anti Virus Command Line
Scanners to remove
> viruses and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
Normal Mode. This
> way all the components can be downloaded from each AV vendor's web site.
> On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the
PC
> On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend,
McAfee, Exit the
> menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
or you can
> download the files and perform a scan in Normal Mode. Once you have
downloaded the files
> needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want
to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE
and/or FTP.EXE to go
> through your FireWall to allow them to download the needed AV vendor
related files.
>
> * * * Please report back your results * * *
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

David H. Lipman
07-09-2005, 10:50 PM
From: "roberto" <ralplavner@HotPOP.com>

| I guess he has tried with everything or better say ALMOST EVERYTHING.
|
| I posted "my question" here assuming if, he is a server administrator, he
| must know what to do....so, if he has the AV updated on the server theres
| should be no reason for this....
|
| Anyway, I provided him the NOD32 removal tool (it says could fix ALL MYTOB
| VARIANTS) ....I have not recieve from him any report yet....problably he
| could finally get rid of this worm.
|

That's a faux conclusion. By using the McAfee, Sophos and Trend Sysclean one of the three
may catch this variant ot other infectors. The NOD32 tool is a good idea but... It only
tragets one infector and its variants whiles what I suggested are broad-spectrum scanners.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

roberto
07-09-2005, 10:50 PM
Im totally agree with this: The NOD32 tool is a good idea but... It only
targets one infector and its variants whiles what I suggested are
broad-spectrum scanners.





"David H. Lipman" <DLipman~nospam~@Verizon.Net> escribió en el mensaje
news:eVhgdUXfFHA.1048@tk2msftngp13.phx.gbl...
> From: "roberto" <ralplavner@HotPOP.com>
>
> | I guess he has tried with everything or better say ALMOST EVERYTHING.
> |
> | I posted "my question" here assuming if, he is a server administrator,
he
> | must know what to do....so, if he has the AV updated on the server
theres
> | should be no reason for this....
> |
> | Anyway, I provided him the NOD32 removal tool (it says could fix ALL
MYTOB
> | VARIANTS) ....I have not recieve from him any report yet....problably he
> | could finally get rid of this worm.
> |
>
> That's a faux conclusion. By using the McAfee, Sophos and Trend Sysclean
one of the three
> may catch this variant ot other infectors. The NOD32 tool is a good idea
but... It only
> tragets one infector and its variants whiles what I suggested are
broad-spectrum scanners.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>


W32/Mytob.HI ??