Alert - Possible Email Worm

[Gary]

I received a message tonight from 'mail "at" opelgt.com' with the subject titled: ACCOUNT ALERT informing me that my account was suspended. Attached was a file called: Information.zip.

No message of this sort was sent from opelgt.com. Googling the attachments name showed it could contain a worm.

If you receive a similar message, delete it and do not open the zip file.

[Dan-MI]

This is a new virus just going around. Here is some info on it.

Description:

A new variant of the Mytob worm family that has been reported in the wild. Win32/Mytob.DO is a mass-mailing worm that uses social engineering techniques to send e-mails with a spoofed sender's name, posing as an account suspension notification. The e-mail messages have varying subjects, message texts and attachment file names, with either a .BAT, .CMD, .EXE, .SCR, .PIF or .ZIP file extension. Mytob.DO drops a copy of itself and a backdoor component, and then creates registry RUN keys in order to enable automatic execution at every system startup. The worm also attempts to terminate existing antivirus processes and to modify the HOSTS file to prevent the user from visiting specific anti-virus web sites.

When run, Mytob.DO drops a copy of itself in the Windows System directory:

LIEN VAN DE KELDER.EXE
Email Properties:

From: (spoofed address; e-mail sender from an infected machine's Windows Address Book)

Subject: (one of the following)

<blank>
<random characters>
Notice: **Last Warning**
*DETECTED* Online User Violation
Your Email Account is Suspended For Security Reasons
Account Alert
Important Notification
*WARNING* Your Email Account Will Be Closed
Security measures
Email Account Suspension
Notice of account limitation
Message Text: (one of the following)

Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
please look at attached document.
Please read the attached document and follow it's instructions.
Please see the attachement.
The original message has been included as an attachment.
To safeguard your email account from possible termination, please see the attached file.
To unblock your email account acces, please see the attachement.
We attached some important information regarding your account.
We have suspended some of your email services, to resolve the problem you should read the attached document.
We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
Attachment: (one of the following with any of these extensions: BAT, CMD, EXE, SCR, PIF, ZIP)

email-info
email-doc
information
account-details
document
INFO
instructions
info-text
information
Backdoor Component:

This worm also has backdoor capabilities. It comes with a built-in Internet Relay Chat (IRC) bot functionality, which is an automated software program that can execute certain commands when it receives specific input coming from a remote malicious user. the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

irc.blackcarder.net (on TCP port 4512) on channel #RWNT

[Gary]

Thanks, Dan.

Translation: be very wary of email attachments with BAT, CMD, EXE, SCR, PIF, ZIP extensions.