W32.Mytob.EP@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.
When W32.Mytob.EP@mm is executed, it performs the following actions:
1. Copies itself as the following:
%System%\winligon.exe
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Adds the value:
"WINDOWS SYSTEM" = "winligon.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
so that it runs every time Windows starts.
Note: The worm continually recreates these registry keys if they are deleted.
3. Modifies the value:
"Start" = "4"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SharedAccess
which disables the Shared Access service in Windows 2000/XP.
Note: The worm continually recreates these registry keys if they are deleted.
4. Creates the following mutex so that only one instance of the worm is run on the compromised computer:
H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H
5. Gathers email addresses from the Windows Address Book and from the following locations:
* %Windir%\Temporary Internet Files
* %UserProfile%\Local Settings\Temporary Internet Files
* %System%
Note:
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
6. Gathers email addresses from files with the following extensions on all local drives from C to Y:
* .txt
* .htm
* .sht
* .jsp
* .cgi
* .xml
* .php
* .asp
* .dbx
* .tbb
* .adb
* .html
* .wab
7. The worm then uses its own SMTP engine to send itself to the email addresses that it finds.
The email has the following characteristics:
From:
One of the following:
* admin
* administrator
* info
* mail
* register
* service
* support
* webmaster
Subject:
One of the following:
* Your password has been updated
* Your password has been successfully updated
* You have successfully updated your password
* Your new account password is approved
* Your Account is Suspended
* *DETECTED* Online User Violation
* Your Account is Suspended For Security Reasons
* Warning Message: Your services near to be closed
* Important Notification
* Members Support
* Security measures
* Email Account Suspension
* Notice of account limitation
* [RANDOM CHARACTER]
Message:
One of the following:
* Dear user [USER NAME],
You have successfully updated the password of your [DOMAIN] account.
If you did not authorize this change or if you need assistance with your
account, please contact [DOMAIN] customer service at: [FULL DOMAIN]
Thank you for using [DOMAIN]!
The [DOMAIN] Support Team
* Dear user [USER NAME],
It has come to our attention that your [DOMAIN] User Profile ( x )
records are out of date. For further details see the attached document.
Thank you for using [DOMAIN]!
The [DOMAIN] Support Team
+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]
* Dear [DOMAIN] Member,
We have temporarily suspended your email account [USER NAME].
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your [DOMAIN] account.
Sincerely,The [DOMAIN] Support Team
+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]
* Dear [DOMAIN] Member,
Your e-mail account was used to send a huge amount of unsolicited spam
messages during the recent week. If you could please take 5-10 minutes
out of your online experience and confirm the attached document so you
will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel
your membership.
Virtually yours,
The [DOMAIN] Support Team
+++ Attachment: No Virus found
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]
Note: [USER NAME], [DOMAIN NAME], and [DOMAIN] are variables for strings taken from the target email address. [USER NAME] is the name section of the email address.
[DOMAIN NAME] is the domain name part of the target email address. [DOMAIN] is the domain name, plus the top-level domain.
Attachment:
One of the following:
* accepted-password
* account-details
* account-info
* account-password
* account-report
* approved-password
* document
* email-details
* email-password
* important-details
* new-password
* password
* readme
* updated-password
* [RANDOM NAME]
with one of the following as an extension:
* .pif
* .scr
* .exe
* .bat
* .cmd
The worm may also send a zipped copy of itself. The zipped file will have .doc, .htm or .txt as the first extension name and .exe, .pif, or .scr as the second extension name.
The worm may append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers:
* gate.
* mail.
* mail1.
* mx.
* mx1.
* mxs.
* ns.
* relay.
* smtp.
The worm will not send itself to email addresses that contain any of the following strings:
* abuse
* accoun
* admin
* anyone
* bsd
* bugs
* certific
* contact
* fcnz
* feste
* gold-certs
* google
* help
* icrosoft
* info
* linux
* listserv
* nobody
* noone
* not
* nothing
* ntivi
* page
* postmaster
* privacy
* rating
* root
* samples
* secur
* service
* site
* soft
* somebody
* someone
* spm
* submit
* support
* the.bat
* unix
* webmaster
* www
* you
* your
The worm will not send itself to email addresses that contain any of the following domain names:
* .edu
* .gov
* .mil
* acketst
* arin.
* avp
* be_loyal:
* berkeley
* borlan
* bsd
* example
* fido
* foo.
* fsf.
* gnu
* google
* gov.
* hotmail
* iana
* ibm.com
* icrosof
* ietf
* inpris
* isc.o
* isi.e
* kernel
* linux
* math
* mit.e
* mozilla
* msn.
* mydomai
* nodomai
* panda
* pgp
* rfc-ed
* ripe.
* ruslis
* secur
* sendmail
* sopho
* syma
* tanford.e
* unix
* usenet
* utgers.ed
8. Next, the worm connects to an IRC channel on TCP port 5232 on the staff.chiri.org domain and listens for commands that allow the remote attacker to perform the following actions:
* Execute files
* Download files
* Perform other IRC commands determined by the attacker
* Reboot the compromised computer
9. The worm blocks access to several security-related Web sites by appending the following text to the hosts file:
127.0.0.1
www.symantec.com 127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1
www.sophos.com 127.0.0.1 sophos.com
127.0.0.1
www.mcafee.com 127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1
www.viruslist.com 127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1
www.f-secure.com 127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1
www.avp.com 127.0.0.1
www.kaspersky.com 127.0.0.1 avp.com
127.0.0.1
www.networkassociates.com 127.0.0.1 networkassociates.com
127.0.0.1
www.ca.com 127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1
www.my-etrust.com 127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1
www.nai.com 127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1
www.pandasoftware.com 127.0.0.1
www.trendmicro.com 127.0.0.1
www.grisoft.com 127.0.0.1
www.microsoft.com 127.0.0.1 microsoft.com
127.0.0.1
www.virustotal.com 127.0.0.1 virustotal.com
127.0.0.1
www.amazon.com 127.0.0.1
www.amazon.co.uk 127.0.0.1
www.amazon.ca 127.0.0.1
www.amazon.fr 127.0.0.1
www.paypal.com 127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1
www.moneybookers.com 127.0.0.1
www.ebay.com 127.0.0.1 ebay.com
10. The worm also attempts to end the following processes, some of which may be security-related:
* ACKWIN32.EXE
* ADAWARE.EXE
* ADVXDWIN.EXE
* AGENTSVR.EXE
* AGENTW.EXE
* ALERTSVC.EXE
* ALEVIR.EXE
* ALOGSERV.EXE
* AMON9X.EXE
* ANTI-TROJAN.EXE
* ANTIVIRUS.EXE
* ANTS.EXE
* APIMONITOR.EXE
* APLICA32.EXE
* APVXDWIN.EXE
* ARR.EXE
* ATCON.EXE
* ATGUARD.EXE
* ATRO55EN.EXE
* ATUPDATER.EXE
* ATUPDATER.EXE
* ATWATCH.EXE
* AU.EXE
* AUPDATE.EXE
* AUPDATE.EXE
* AUTODOWN.EXE
* AUTODOWN.EXE
* AUTOTRACE.EXE
* AUTOTRACE.EXE
* AUTOUPDATE.EXE
* AUTOUPDATE.EXE
* AVCONSOL.EXE
* AVE32.EXE
* AVGCC32.EXE
* AVGCTRL.EXE
* AVGNT.EXE
* AVGSERV.EXE
* AVGSERV9.EXE
* AVGUARD.EXE
* AVGW.EXE
* AVKPOP.EXE
* AVKSERV.EXE
* AVKSERVICE.EXE
* AVKWCTl9.EXE
* AVLTMAIN.EXE
* AVNT.EXE
* AVP.EXE
* AVP32.EXE
* AVPCC.EXE
* AVPDOS32.EXE
* AVPM.EXE
* AVPTC32.EXE
* AVPUPD.EXE
* AVPUPD.EXE
* AVSCHED32.EXE
* AVSYNMGR.EXE
* AVWINNT.EXE
* AVWUPD.EXE
* AVWUPD32.EXE
* AVWUPD32.EXE
* AVWUPSRV.EXE
* AVXMONITOR9X.EXE
* AVXMONITORNT.EXE
* AVXQUAR.EXE
* AVXQUAR.EXE
* BACKWEB.EXE
* BARGAINS.EXE
* BD_PROFESSIONAL.EXE
* BEAGLE.EXE
* BELT.EXE
* BIDEF.EXE
* BIDSERVER.EXE
* BIPCP.EXE
* BIPCPEVALSETUP.EXE
* BISP.EXE
* BLACKD.EXE
* BLACKICE.EXE
* BLSS.EXE
* BOOTCONF.EXE
* BOOTWARN.EXE
* BORG2.EXE
* BPC.EXE
* BRASIL.EXE
* BS120.EXE
* BUNDLE.EXE
* BVT.EXE
* CCAPP.EXE
* CCEVTMGR.EXE
* CCPXYSVC.EXE
* CDP.EXE
* CFD.EXE
* CFGWIZ.EXE
* CFIADMIN.EXE
* CFIAUDIT.EXE
* CFIAUDIT.EXE
* CFINET.EXE
* CFINET32.EXE
* CLEAN.EXE
* CLEANER.EXE
* CLEANER3.EXE
* CLEANPC.EXE
* CLICK.EXE
* CMD32.EXE
* CMESYS.EXE
* CMGRDIAN.EXE
* CMON016.EXE
* CONNECTIONMONITOR.EXE
* CPD.EXE
* CPF9X206.EXE
* CPFNT206.EXE
* CTRL.EXE
* CV.EXE
* CWNB181.EXE
* CWNTDWMO.EXE
* CLAW95CF.EXE
* DATEMANAGER.EXE
* DCOMX.EXE
* DEFALERT.EXE
* DEFSCANGUI.EXE
* DEFWATCH.EXE
* DEPUTY.EXE
* DIVX.EXE
* DLLCACHE.EXE
* DLLREG.EXE
* DOORS.EXE
* DPF.EXE
* DPFSETUP.EXE
* DPPS2.EXE
* DRWATSON.EXE
* DRWEB32.EXE
* DRWEBUPW.EXE
* DSSAGENT.EXE
* DVP95.EXE
* DVP95_0.EXE
* ECENGINE.EXE
* EFPEADM.EXE
* EMSW.EXE
* ENT.EXE
* ESAFE.EXE
* ESCANHNT.EXE
* ESCANV95.EXE
* ESPWATCH.EXE
* ETHEREAL.EXE
* ETRUSTCIPE.EXE
* EVPN.EXE
* EXANTIVIRUS-CNET.EXE
* EXE.AVXW.EXE
* EXPERT.EXE
* EXPLORE.EXE
* F-PROT.EXE
* F-PROT95.EXE
* F-STOPW.EXE
* FAMEH32.EXE
* FAST.EXE
* FCH32.EXE
* FIH32.EXE
* FINDVIRU.EXE
* FIREWALL.EXE
* FNRB32.EXE
* FP-WIN.EXE
* FP-WIN_TRIAL.EXE
* FPROT.EXE
* FRW.EXE
* FSAA.EXE
* FSAV.EXE
* FSAV32.EXE
* FSAV530STBYB.EXE
* FSAV530WTBYB.EXE
* FSAV95.EXE
* FSGK32.EXE
* FSM32.EXE
* FSMA32.EXE
* FSMB32.EXE
* GATOR.EXE
* GBMENU.EXE
* GBPOLL.EXE
* GENERICS.EXE
* GMT.EXE
* GUARD.EXE
* GUARDDOG.EXE
* HACKTRACERSETUP.EXE
* HBINST.EXE
* HBSRV.EXE
* HOTACTIO.EXE
* HOTPATCH.EXE
* HTLOG.EXE
* HTPATCH.EXE
* HWPE.EXE
* HXDL.EXE
* HXIUL.EXE
* IAMAPP.EXE
* IAMSERV.EXE
* IAMSTATS.EXE
* IBMASN.EXE
* IBMAVSP.EXE
* ICLOADNT.EXE
* ICMON.EXE
* ICSUPP95.EXE
* ICSUPPNT.EXE
* IDLE.EXE
* IEDLL.EXE
* IEDRIVER.EXE
* IEXPLORER.EXE
* IFACE.EXE
* IFW2000.EXE
* INETLNFO.EXE
* INFUS.EXE
* INFWIN.EXE
* INIT.EXE
* INTDEL.EXE
* INTREN.EXE
* IOMON98.EXE
* ISTSVC.EXE
* JAMMER.EXE
* JDBGMRG.EXE
* JEDI.EXE
* KAVLITE40ENG.EXE
* KAVPERS40ENG.EXE
* KAVPF.EXE
* KAZZA.EXE
* KEENVALUE.EXE
* KERIO-PF-213-EN-WIN.EXE
* KERIO-WRL-421-EN-WIN.EXE
* KERIO-WRP-421-EN-WIN.EXE
* KERNEL32.EXE
* KILLPROCESSSETUP161.EXE
* LAUNCHER.EXE
* LDNETMON.EXE
* LDPRO.EXE
* LDPROMENU.EXE
* LDSCAN.EXE
* LNETINFO.EXE
* LOADER.EXE
* LOCALNET.EXE
* LOCKDOWN.EXE
* LOCKDOWN2000.EXE
* LOOKOUT.EXE
* LORDPE.EXE
* LSETUP.EXE
* LUALL.EXE
* LUALL.EXE
* LUAU.EXE
* LUCOMSERVER.EXE
* LUINIT.EXE
* LUSPT.EXE
* MAPISVC32.EXE
* MCAGENT.EXE
* MCMNHDLR.EXE
* MCSHIELD.EXE
* MCTOOL.EXE
* MCUPDATE.EXE
* MCUPDATE.EXE
* MCVSRTE.EXE
* MCVSSHLD.EXE
* MD.EXE
* MFIN32.EXE
* MFW2EN.EXE
* MFWENG3.02D30.EXE
* MGAVRTCL.EXE
* MGAVRTE.EXE
* MGHTML.EXE
* MGUI.EXE
* MINILOG.EXE
* MMOD.EXE
* MONITOR.EXE
* MOOLIVE.EXE
* MOSTAT.EXE
* MPFAGENT.EXE
* MPFSERVICE.EXE
* MPFTRAY.EXE
* MRFLUX.EXE
* MSAPP.EXE
* MSBB.EXE
* MSBLAST.EXE
* MSCACHE.EXE
* MSCCN32.EXE
* MSCMAN.EXE
* MSCONFIG.EXE
* MSDM.EXE
* MSDOS.EXE
* MSIEXEC16.EXE
* MSINFO32.EXE
* MSLAUGH.EXE
* MSMGT.EXE
* MSMSGRI32.EXE
* MSSMMC32.EXE
* MSSYS.EXE
* MSVXD.EXE
* MU0311AD.EXE
* MWATCH.EXE
* N32SCANW.EXE
* NAV.EXE
* AUTO-PROTECT.NAV80TRY.EXE
* NAVAP.NAVAPSVC.EXE
* NAVAPSVC.EXE
* NAVAPW32.EXE
* NAVDX.EXE
* NAVLU32.EXE
* NAVNT.EXE
* NAVSTUB.EXE
* NAVW32.EXE
* NAVWNT.EXE
* NC2000.EXE
* NCINST4.EXE
* NDD32.EXE
* NEOMONITOR.EXE
* NEOWATCHLOG.EXE
* NETARMOR.EXE
* NETD32.EXE
* NETINFO.EXE
* NETMON.EXE
* NETSCANPRO.EXE
* NETSPYHUNTER-1.2.EXE
* NETSTAT.EXE
* NETUTILS.EXE
* NISSERV.EXE
* NISUM.EXE
* NMAIN.EXE
* NOD32.EXE
* NORMIST.EXE
* NORTON_INTERNET_SECU_3.0_407.EXE
* NOTSTART.EXE
* NPF40_TW_98_NT_ME_2K.EXE
* NPFMESSENGER.EXE
* NPROTECT.EXE
* NPSCHECK.EXE
* NPSSVC.EXE
* NSCHED32.EXE
* NSSYS32.EXE
* NSTASK32.EXE
* NSUPDATE.EXE
* NT.EXE
* NTRTSCAN.EXE
* NTVDM.EXE
* NTXconfig.EXE
* NUI.EXE
* NUPGRADE.EXE
* NUPGRADE.EXE
* NVARCH16.EXE
* NVC95.EXE
* NVSVC32.EXE
* NWINST4.EXE
* NWSERVICE.EXE
* NWTOOL16.EXE
* OLLYDBG.EXE
* ONSRVR.EXE
* OPTIMIZE.EXE
* OSTRONET.EXE
* OTFIX.EXE
* OUTPOST.EXE
* OUTPOST.EXE
* OUTPOSTINSTALL.EXE
* OUTPOSTPROINSTALL.EXE
* PADMIN.EXE
* PANIXK.EXE
* PATCH.EXE
* PAVCL.EXE
* PAVPROXY.EXE
* PAVSCHED.EXE
* PAVW.EXE
* PCFWALLICON.EXE
* PCIP10117_0.EXE
* PCSCAN.EXE
* PDSETUP.EXE
* PERISCOPE.EXE
* PERSFW.EXE
* PERSWF.EXE
* PF2.EXE
* PFWADMIN.EXE
* PGMONITR.EXE
* PINGSCAN.EXE
* PLATIN.EXE
* POP3TRAP.EXE
* POPROXY.EXE
* POPSCAN.EXE
* PORTDETECTIVE.EXE
* PORTMONITOR.EXE
* POWERSCAN.EXE
* PPINUPDT.EXE
* PPTBC.EXE
* PPVSTOP.EXE
* PRIZESURFER.EXE
* PRMT.EXE
* PRMVR.EXE
* PROCDUMP.EXE
* PROCESSMONITOR.EXE
* PROCEXPLORERV1.0.EXE
* PROGRAMAUDITOR.EXE
* PROPORT.EXE
* PROTECTX.EXE
* PSPF.EXE
* PURGE.EXE
* QCONSOLE.EXE
* QSERVER.EXE
* RAPAPP.EXE
* RAV7.EXE
* RAV7WIN.EXE
* RAV8WIN32ENG.EXE
* RAY.EXE
* RB32.EXE
* RCSYNC.EXE
* REALMON.EXE
* REGED.EXE
* REGEDIT.EXE
* REGEDT32.EXE
* RESCUE.EXE
* RESCUE32.EXE
* RRGUARD.EXE
* RSHELL.EXE
* RTVSCAN.EXE
* RTVSCN95.EXE
* RULAUNCH.EXE
* RUN32DLL.EXE
* RUNDLL.EXE
* RUNDLL16.EXE
* RUXDLL32.EXE
* SAFEWEB.EXE
* SAHAGENT.EXE
* SAVE.EXE
* SAVENOW.EXE
* SBSERV.EXE
* SC.EXE
* SCAM32.EXE
* SCAN32.EXE
* SCAN95.EXE
* SCANPM.EXE
* SCRSCAN.EXE
* SETUPVAMEEVAL.EXE
* SETUP_FLOWPROTECTOR_US.EXE
* SFC.EXE
* SGSSFW32.EXE
* SH.EXE
* SHELLSPYINSTALL.EXE
* SHN.EXE
* SHOWBEHIND.EXE
* SMC.EXE
* SMS.EXE
* SMSS32.EXE
* SOAP.EXE
* SOFI.EXE
* SPERM.EXE
* SPF.EXE
* SPHINX.EXE
* SPOLER.EXE
* SPOOLCV.EXE
* SPOOLSV32.EXE
* SPYXX.EXE
* SREXE.EXE
* SRNG.EXE
* SS3EDIT.EXE
* SSGRATE.EXE
* SSG_4104.EXE
* ST2.EXE
* START.EXE
* STCLOADER.EXE
* SUPFTRL.EXE
* SUPPORT.EXE
* SUPPORTER5.EXE
* SVC.EXE
* SVCHOSTC.EXE
* SVCHOSTS.EXE
* SVSHOST.EXE
* SWEEP95.EXE
* SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
* SYMPROXYSVC.EXE
* SYMTRAY.EXE
* SYSEDIT.EXE
* SYSTEM.EXE
* SYSTEM32.EXE
* SYSUPD.EXE
* TASKMG.EXE
* TASKMO.EXE
* TASKMON.EXE
* TAUMON.EXE
* TBSCAN.EXE
* TC.EXE
* TCA.EXE
* TCM.EXE
* TDS-3.EXE
* TDS2-NT.EXE
* TEEKIDS.EXE
* TFAK.EXE
* TFAK5.EXE
* TGBOB.EXE
* TITANIN.EXE
* TITANINXP.EXE
* TRACERT.EXE
* TRICKLER.EXE
* TRJSCAN.EXE
* TRJSETUP.EXE
* TROJANTRAP3.EXE
* TSADBOT.EXE
* TVMD.EXE
* TVTMD.EXE
* UNDOBOOT.EXE
* UPDAT.EXE
* UPDATE.EXE
* UPDATE.EXE
* UPGRAD.EXE
* UTPOST.EXE
* VBCMSERV.EXE
* VBCONS.EXE
* VBUST.EXE
* VBWIN9X.EXE
* VBWINNTW.EXE
* VCSETUP.EXE
* VET32.EXE
* VET95.EXE
* VETTRAY.EXE
* VFSETUP.EXE
* VIR-HELP.EXE
* VIRUSMDPERSONALFIREWALL.EXE
* VNLAN300.EXE
* VNPC3000.EXE
* VPC32.EXE
* VPC42.EXE
* VPFW30S.EXE
* VPTRAY.EXE
* VSCAN40.EXE
* VSCENU6.02D30.EXE
* VSCHED.EXE
* VSECOMR.EXE
* VSHWIN32.EXE
* VSISETUP.EXE
* VSMAIN.EXE
* VSMON.EXE
* VSSTAT.EXE
* VSWIN9XE.EXE
* VSWINNTSE.EXE
* VSWINPERSE.EXE
* W32DSM89.EXE
* W9X.EXE
* WATCHDOG.EXE
* WEBDAV.EXE
* WEBSCANX.EXE
* WEBTRAP.EXE
* WFINDV32.EXE
* WHOSWATCHINGME.EXE
* WIMMUN32.EXE
* WIN-BUGSFIX.EXE
* WIN32.EXE
* WIN32US.EXE
* WINACTIVE.EXE
* WINDOW.EXE
* WINDOWS.EXE
* WININETD.EXE
* WININIT.EXE
* WININITX.EXE
* WINLOGIN.EXE
* WINMAIN.EXE
* WINNET.EXE
* WINPPR32.EXE
* WINRECON.EXE
* WINSERVN.EXE
* WINSSK32.EXE
* WINSTART.EXE
* WINSTART001.EXE
* WINTSK32.EXE
* WINUPDATE.EXE
* WKUFIND.EXE
* WNAD.EXE
* WNT.EXE
* WRADMIN.EXE
* WRCTRL.EXE
* WSBGATE.EXE
* WUPDATER.EXE
* WUPDT.EXE
* WYVERNWORKSFIREWALL.EXE
* XPF202EN.EXE
* ZAPRO.EXE
* ZAPSETUP3001.EXE
* ZATUTOR.EXE
* ZONALM2601.EXE
* ZONEALARM.EXE
* _AVP32.EXE
* _AVPCC.EXE
* _AVPM.EXE
* CMD.EXE
* TASKMGR.EXE
* NEC.EXE
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ep@mm.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
4. Navigate to the subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
5. In the right pane, delete the value:
"WINDOWS SYSTEM" = "winligon.exe"
6. Exit the Registry Editor.
6. To reenable the SharedAccess service (Windows 2000/XP only)
The SharedAccess service is responsible for maintaining Internet Connection Sharing and the Windows Firewall/Internet Connection Firewall applications in Windows. (The presence and names of these applications vary depending on the operating system and service pack you are using.) To protect your computer and maintain network functionality, re-enable this service if you are using any of these programs.
Windows XP Service Pack 2
If you are running Windows XP with Service Pack 2 and are using the Windows Firewall, the operating system will alert you when the SharedAccess service is stopped, by displaying an alert balloon saying that your Firewall status is unknown. Perform the following steps to ensure that the Windows Firewall is re-enabled:
1. Click Start > Control Panel.
2. Double-click the Security Center.
3. Ensure that the Firewall security essential is marked ON.
Note: If the Firewall security essential is marked on, your Windows Firewall is on and you do not need to continue with these steps.
If the Firewall security essential is not marked on, click the "Recommendations" button.
4. Under "Recommendations," click Enable Now. A window appears telling you that the Windows Firewall was successfully turned on.
5. Click Close, and then click OK.
6. Close the Security Center.
Windows 2000 or Windows XP Service Pack 1 or earlier
Complete the following steps to re-enable the SharedAccess service:
1. Click Start > Run.
2. Type services.msc
Then click OK.
3. Do one of the following:
* Windows 2000: Under the Name column, locate the "Internet Connection Sharing (ICS)" service and double-click it.
* Windows XP: Under the Named column, locate the "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" service and double-click it.
4. Under "Startup Type:", select "Automatic" from the drop-down menu.
5. Under "Service Status:", click the Start button.
6. Once the service has completed starting, click OK.
7. Close the Services window.
AlphaOne Technology Support Forums
Author
Logged
