MS04-011: Dozen new Mytob variants emerge over the weekend

  About one dozen new variants of Mytob emerged over the past weekend.  This virus spreads by email and exploitation of unpatched Windows systems (MS03-026 and MS04-011).  This family of viruses is apparently easy to clone and it may become the next Spybot or Agobot when it comes to active development of new variants. 

http://www.trendmicro.com/vinfo/ 

http://www.symantec.com/avcenter/vinfodb.html

Six of the Latest Variants

	W32.Mytob.AM@mm
	W32.Mytob.AL@mm
	W32.Mytob.AJ@mm
	W32.Mytob.AK@mm
	W32.Mytob.AI@mm
	W32.Mytob.AH@mm

This worm also takes advantage of the following Windows vulnerabilities to propagate:

• RPC/DCOM vulnerability
• LSASS vulnerability

For more information about these vulnerabilities, please refer to the following Microsoft Web pages:

• Microsoft Security Bulletin MS03-026
• Microsoft Security Bulletin MS04-011

Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to several security-related web sites.
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip file extension.
Ports: 10087

FORMAT OF EMAIL MESSAGE

Subject: (One of the following)
Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error

Message:  (One of the following)
* Here are your banks documents.
* The original message was included as an attachment.
* The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
* The message contains Unicode characters and has been sent as a binary attachment.
* Mail transaction failed. Partial message is available.

Attachment: (One of the following)
document
readme
doc
text
file
data
test
message
body

Extensions: pif, scr, exe, bat, cmd, zip