Mytob: 5 Seconds to Infection?
October 28, 2006
In a livejournal post, a University of Michigan student describes her frustrating experience with a Mytob infection. There are literally hundreds of variants of Mytob, but in general Mytob variants are mass-mailing email worms that compromise system security by terminating processes related to various antivirus software. The Mytob family also typically disables the XP SP2 firewall, and modifies the HOSTS file to prevent access to antivirus updates and certain other websites.
Depending on the Mytob variant, in addition to the email vector the worm may also automatically infect susceptible (unpatched) systems via the Internet by exploiting the LSASS vulnerability (MS04-011) or a buffer overrun vulnerability in the RPC interface (MS03-026). Some Mytob variants even include an IRCbot that allows remote attackers to gain full access to compromised systems.
In the case of the UM student, she was (understandably) denied access to the university's network until she cleaned her system. To clean it, her support desk had her use McAfee's Stinger tool as well as their VirusScan product. After cleaning the system and sending the report log to the support team, they reinstated network access, prompting the following response from the UM student:
The short answer to this is "it depends; probably no". If she has an 'always-on' Internet connection, which she would have if connected to the uni's network, it's on whether she has any "Internet Windows open" or not. Further, since Mytob disables the Windows firewall, and most cleaning tools remove the infection but don't restore the security settings, this likely means her firewall isn't working. Which means, within moments, she was likely reinfected - if not with Mytob, then with one of the other (numerous) worms that spread via the Internet.
ALWAYS install a firewall before connecting to the Internet. The easiest way to do this is to physically unplug the connection cable and don't plug it back in until the firewall is in place. The free ZoneAlarm firewall is an excellent option, or you can enable the Windows XP SP2 firewall if using that operating system and service pack. (You can do one or the other, not both, as two firewalls cannot run on the same PC simultaneously). After the system is properly firewalled, shutdown the computer, plug the Internet cable back in, and restart the system. Then visit the Windows Update site immediately and download any updates marked 'Critical'.
Of course, she'll also need to fix any changes made to her HOSTS file, or she may not be able to access the Windows Update site nor get necessary updates to her antivirus software.
In a livejournal post, a University of Michigan student describes her frustrating experience with a Mytob infection. There are literally hundreds of variants of Mytob, but in general Mytob variants are mass-mailing email worms that compromise system security by terminating processes related to various antivirus software. The Mytob family also typically disables the XP SP2 firewall, and modifies the HOSTS file to prevent access to antivirus updates and certain other websites.
Depending on the Mytob variant, in addition to the email vector the worm may also automatically infect susceptible (unpatched) systems via the Internet by exploiting the LSASS vulnerability (MS04-011) or a buffer overrun vulnerability in the RPC interface (MS03-026). Some Mytob variants even include an IRCbot that allows remote attackers to gain full access to compromised systems.
In the case of the UM student, she was (understandably) denied access to the university's network until she cleaned her system. To clean it, her support desk had her use McAfee's Stinger tool as well as their VirusScan product. After cleaning the system and sending the report log to the support team, they reinstated network access, prompting the following response from the UM student:
I'm back on... hooray! Still, one more question. I had to run home today for a wedding, and won't be back in Ann Arbor until Sunday. The e-mail that told me that I had been reconnected also told me I had to update my Windows Updates "within 5 seconds" because my computer is still "vulnerable to attack." If I have no Internet Windows open, will the computer be okay for two days (I left it on...) The short answer to this is "it depends; probably no". If she has an 'always-on' Internet connection, which she would have if connected to the uni's network, it's on whether she has any "Internet Windows open" or not. Further, since Mytob disables the Windows firewall, and most cleaning tools remove the infection but don't restore the security settings, this likely means her firewall isn't working. Which means, within moments, she was likely reinfected - if not with Mytob, then with one of the other (numerous) worms that spread via the Internet.
ALWAYS install a firewall before connecting to the Internet. The easiest way to do this is to physically unplug the connection cable and don't plug it back in until the firewall is in place. The free ZoneAlarm firewall is an excellent option, or you can enable the Windows XP SP2 firewall if using that operating system and service pack. (You can do one or the other, not both, as two firewalls cannot run on the same PC simultaneously). After the system is properly firewalled, shutdown the computer, plug the Internet cable back in, and restart the system. Then visit the Windows Update site immediately and download any updates marked 'Critical'.
Of course, she'll also need to fix any changes made to her HOSTS file, or she may not be able to access the Windows Update site nor get necessary updates to her antivirus software.