W32/MyTob!dam - Released Apr 13, 2006 - Last Updated Sep 18, 2006

W32/Mytob-dam, W32/Mytob.dam!zip, WORM_MYTOB.DAM

Damaged version of Mytob variants may arrive in an email as if it were the fully functional worm. However, the file is truncated and cannot run.

Detected file is no longer infectious and is a damaged version of the 32bit virus - damaged files have major truncation of code and cannot run.
Damaged Mytob samples may arrive within an email from infected clients. However, it is important to note that the From portion of the email address is spoofed.
The emails may have the following format:

Possible Subject Lines:
- Your password has been updated
- Your password has been successfully updated
- You have successfully updated your password
- Your new account password is approved
- Your Account is Suspended
- *DETECTED* Online User Violation
- Your Account is Suspended For Security Reasons
- Warning Message: Your services near to be closed.
- Important Notification
- Members Support
- Security measures
- Email Account Suspension
- Notice of account limitation
Possible Single-line Body Texts:
- Here are your banks documents.
- The original message was included as an attachment.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- The message contains Unicode characters and has been sent as a binary attachment.
- Mail transaction failed. Partial message is available.
Possible Attachments: [Filename].[Extension]
[Filename] can be a random string of characters or any of the following:
- body
- data
- doc
- document
- file
- message
- readme
- test
- text
[Extension] can be any of the following:
- pif
- scr
- exe
- cmd
- bat
- zip

FortiGate Systems

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

Fortinet