SBS2003 & Virus Warnings (Mytob-CP)

Hi All,

Currently I’m using demo versions of AVAST Server products and professional products - very impressed to date and will be purchasing a few licenses shortly…

In that past week, I have began receiving many email notifications of the Mytob-CP virus being picked up in email on my SBS2003 server (below is a sample of the email that Avast is sending me).

While I’m very glad Avast is deleting these emails for me, I’m curious about how this virus is working… A couple of days ago, I began getting these messages maybe 10-20 minutes apart. Finally, I blocked the reported IP address on the server, and the virus notifications stopped. This morning, again I am receiving these emails about 20 mins apart and now from a different IP address.

After doing some research on this virus, and checking my systems, it would appear that my systems are not infected, but I’m not convinced this is true, probably through my lack of experience in this field.

I will block this new IP address as well, but, I am wondering, is it too coincidental that I get this twice in one week when I’ve never had this happen before? Could my server be infected with the virus even though scans report negative?

Appreciate anyone’s thoughts on this…

Kind Regards
Antony

Sample email received from Avast running on SBS 2003 server (I have replaced the domain names below with a dummy domain name, but the emails are always reporting my domain name but invalid users);

avast! Antivirus: Infected Mail Detected
avast! determined that your mail-server hit an infected message. Message details are bellow. Please note that mail-borne viruses can be very dangerous.

The message was automatically processed by avast! according to its configurable rules. You may want to check the server-side logs to verify that no error occurred.


Message details

From: “info@mydomain.net.au” (info@mydomain.net.au)
To: “peter@mydomain.net.au” (peter@mydomain.net.au)
Cc:
Bcc:
Resent-From:
Resent-To:

Subject: Notice of account limitation
Sent: 10/06/2005 9:13:31 AM
Message Type: Inbound

Mail Server: ourcom-server.OURCOM.NET.AU.LOCAL
Received From: 207.234.226.49

Infected Items: information.zip (Win32:Mytob-CP [Wrm]) [Deleted]

avast! Action: Discarded
Virus Database: 6/9/2005

If the avast! Action is discarded, the message was destroyed and will never be delivered. If it is moved to ‘badmail’, it was placed to the badmail directory on the server.


This message was automatically generated by avast! for SMTP2000.avast! - copyright © 1988-2005 ALWIL Software.

Hi ag,

W32/Mytob-CP is a mass-mailing worm and IRC backdoor Trojan for Windows platform. The Trojan part allows remote unauthorized control of the affected machine via the network. W 32-Mytob-CP includes functionality to modify the HOSTS-file. If you 're infected: disable System Restore in Windows XP, remove the entries to the hosts file with notepad. Update your virus def. Run a full system scan and delete all files detected. Back up the registry, and delete all values to the registry affected. The technical details you wanted can be found here through this link: http://www.symantec.com/avcenter/venc/data/w32.mytob.cp@mm.html#technicaldetails

Use an external mailscanner and delete all mail apparently not meant for you, also mail from a known sources that you do not expect to arrive. Mailwasher is a reliable product to do this. Check your hosts file, you can easily manage it with a program called hostess. Use FileAlyzer and make a note of your hosts file’s checksums, just to see with one view it has not been tampered with. Hopefully this information will help you. At the moment there is an awful lot of various Mytob around (more than 100 varieties). These virus-mails all try through means of social engineering to lure the innocent to get them to open the mail’s attachments. Even when it spells the end of the world for you personally, feel not tempted do this.

greets,

polonus

Hi all,

MyTob which is a direct off-spring of MyDoom (with added functionality) will become more prevalent in the near future than MyDoom, some modules are clones of IM-Worm.32.Kelvir, to be inserted separately on machines. The life-span of MyTob is all so changing to be active for a longer time than the first Russian versions of MyDoom, netSky, zafi etc.

greets,

polonus

Thankyou for your post Polonus. I guess that’s the thing though, no virus scanners are reporting any viruses on my machines/network, so if it safe for me to assume that this virus is infected on someone else’s PC which is generating emails and sending them to my email server?

Regards
Antony