The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

We Build the Best & Repair the Rest! ©

Top 10 malware reported to Sophos in September 2006

Position

Last
month

Malware

Percentage of reports

W32/Netsky-P

18.4%

W32/Mytob-AS

14.1%

W32/Bagle-Zip

6.3%

W32/Nyxem-D

5.4%

W32/Netsky-D

5.3%

W32/Mytob-E

3.0%

W32/Mytob-C

2.9%

W32/Zafi-B

2.8%

W32/MyDoom-O

2.8%

Re-entry

W32/MyDoom-AJ

2.7%

Others

36.3%

Overview -W32/Stration@MM

-- Update September 1, 2007 --

Another variant using instant messenging to send links to infect files was recently discovered in the wild. Instead of using Skype Chat, this threat was found to be messages containing links to infected files over MSN Messenger such as:

Here are new smiles for MSN, they are incredible!

http://{blocked}.vabaominheran.com/smiles/{blocked}/

Please refer to the Characteristics section for other details of this threat.

-- Update March 1, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/02/28/warezov_skype_im_worm/

-- Update March 1, 2007 --

Another variant has been seen in the wild which uses Skype Chat to send links to infected files. More details on this specific variant can be found at the end of the Characteristics section of this description.

-- Update October 26, 2006 --

Another variant has been seen in the wild. Please view W32/Stration.dr VIL entry for more information on this latest variant.

-- Update September 25, 2006 --

W32/Stration@MM has been deemed Low-Profiled due to McAfee Avert Labs receiving several newly spammed variants of this virus.

W32/Mytob-E is a mass-mailing worm and backdoor Trojan that targets users of Internet Relay Chat programs.

When first run W32/Mytob-E copies itself to the Windows system folder as taskgmr.exe and creates the following registry entries:

HKCU\Software\Microsoft\OLE
WINTASK
taskgmr.exe

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe

HKLM\SOFTWARE\Microsoft\Ole
WINTASK
taskgmr.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
WINTASK
taskgmr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINTASK
taskgmr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINTASK
taskgmr.exe

W32/Mytob-E copies itself to the root folder as:

funny_pic.scr
my_photo2005.scr
see_this!!.scr

and creates the helper file hellmsn.exe (detected by Sophos as W32/Mytob-D) in the same location.

W32/Mytob-E also appends the following to the HOSTS file to deny access to security related websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.trendmicro.com

This web is optimized for 800 x 600 monitor resolution or above and the latest web browser. Get the latest IE or Netscape web browser. (you need to connect to the internet first)