Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Trouble cleaning network environment of Mytob variants:

Status
Not open for further replies.
strider2929

strider2929

Technical User
Oct 31, 2006
3
US
We have a small domain running two Servers and 10 workstations. The Servers are Windows 2003, a DC running AD and the other box running Exchange 2003. We are using Microsoft Antigen 9.0 to scan mail and Symatec 10.0.2.2000 Virus scanner on every box in the domain.

Antigen keeps finding about 25 emails a day that appear to be locally generated, appearing as from postmaster or admin@ourdomain.com sending to randomly generated first name @ourdomain.com. We have run full scans on every workstation and server with our Symatec AV and the Microtrend System Clean tool. We have followed the removal instructions and looked for any entries in the host file or the extra Reg keys that are supposed to be generated by the Mytob worm on every workstation and server. The only thing that we can find is the files that Antigen has quarantined on the exchange server.

The variants we are finding are:

W32.mytob.ea@mm
W32.mytob.kl.worm
W32.mytob.TO

We have even turned off all the workstations over the weekend to make sure it was not the desktops.

Any suggestions would be most appreciated !!
 
Sort by date Sort by votes
Sounds like mytob installed additional payload. Have you run a couple of spyware scanners?

 
Upvote 0 Downvote
Ahh, yes, sorry I did not state that. We have used Spybot and the "free" version of Adaware on every device in the domain as well.
 
Upvote 0 Downvote
The emails that Antigen keeps finding, can you tell where they originate from? Are they being handed to Exchange from a client, or are they being generated on the Exchange box itself?

Since the scanners aren't helping you're gonna have to find it the hard way. Once you determine which machine is the infected one, if it's a client fdisk, if a server you're going to need to manually audit what processes are running. Don't try to use Task Manager, if it can hide from the scanners it can hide from TM. I strongly recommend Proccess Explorer from it gives you a lot more info than TM anyway.

Good luck.
 
Upvote 0 Downvote


The mail appears to all be internally generated from the exchange server. I do not see a handoff from any of the clients.

I will try the Process Explorer and see if I can see any rouge processes an report back.

Thanks LawnBoy!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Curious network activity over port 445
Replies
8
Views
334
DrB0b
DrB0b
riobogmedacaliaires
  • Locked
  • Question
how to exclude folders in trend officescan 11 client side
Replies
0
Views
111
riobogmedacaliaires
riobogmedacaliaires
Macola10
  • Locked
  • Question
Kapersky Small Office Security
Replies
0
Views
120
Macola10
Macola10
SantaMufasa
  • Locked
  • Question
How can I get rid of "PC Fix Speed", a particularly nasty PC malware infection. 2
Replies
18
Views
297
kjv1611
kjv1611
Noway2
  • Locked
  • Question
What to make of this? 2
Replies
17
Views
250
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top