Alias/es

Visible Symptoms

• Possible firewall alert that an executable attempting to connect to the Internet and function as a server
  
  
• Possible termination of the firewall or other security application, including Antivirus monitors
  
  
• Compromised systems may be slow to respond due to heavy outbound traffic on TCP port 445 with other machines
  
  

• Creation of files onto the local system in root of the active drive and also commonly into the System32 folder. The names of the files dropped may have .SCR or .PIF file extensions

   

Detailed Analysis

This variant of the MyTob family varies slightly among its family. All MyTob viruses follow a similar scheme:

• copy itself to the local system
  
  
• search for email addresses in files
  
  
• send itself by SMTP [self contained engine]
  
  
• connect with an IRC server to receive instructions or await commands from a malicious user
  
  
• prevent the infected system from connecting to update servers and various other security related web pages - this is done by hacking the local "hosts" file and adding entries redirecting the call to specific web sites by domain name to the local host

The variants will differ slightly with regard to packed file size and actual file names created on the host however the functionality of the viruses remain the same.

Recommended Action

FortiGate systems:


• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option