Perimeter eSecurity is warning customers about a new variation of worm outbreak.  

This new worm propagates through an *.zip password protected file.  Users who open this file by entering the password enclosed in the email will become infected.  Recently, the Perimeter security operation center (SOC) has seen a flurry of these emails caught in our virus filters.  We are asking customer’s to reinforce virus awareness training by communicating to end users the danger of opening suspicious attachments and especially password protected *.zip attachments.   Perimeter has already taken measures to update its virus signatures and block *.zip attachments that contain the virus.  However, we felt the need to communicate to our customers as a precautionary measure given the small chance a virus has circumvented our virus engines.  If you feel that you have been infected by this Worm or have additional questions please call the Perimeter Command Center.

VIRUS DETAILS:
ALIAS:
TR/Crypt.XPACK.Gen (AntiVir)
Win32: Mytob-TC (Avast)
Generic7.CXR (AVG)
Generic.Malware (BitDefender)
Net-Worm.Win32.Mytob.ft (Kaspersky)
Win32/Mytob.VW (NOD32)
W32.IRCBot.Gen (Symantec)
TYPE:
Worm
SYSTEM (S) CONCERNS (S):
Windows
DISCOVERED:
31/08/07

DETAILED DESCRIPTION:

The enclosure is a file .zip (137 KB) protected by a password provided in the text, in order to prevent the antivirus footbridges from reaching its contents and thus to be able to detect the virus. Some examples:

• Important-INFO.zip
• SECURE-INFO.zip
• Secure_Details.zip
  

The file contained in this file bears the same name that the file and comprises a simple or double extension. In the first it tries to be made pass for a textual file or HTML but the apparent extension does not have a value because it is actually about a MS-DOS short cut. In the second case it also tries to be made pass for a textual file via a great number of spaces between the first extension (text without value) and the second (only true extension). In both cases, the Net surfer is misled on the true nature of the file:

• IMPORTANT-INFO.txt .exe (file .exe)
• IMPORTANT-INFO.txt (shortened MS-DOS)
• SECURE-INFO.htm (shortened MS-DOS)
• Secure_Details.txt .scr (file .scr)
  

If this file is carried out, the virus is installed on the hard disk, modifies the base of registers to be carried out with each starting of the computer, is sent to the addresses appearing in the address book Windows and various other files by avoiding certain recipients and by using an address of shipper falsified, then installs a catch door authorizing the remote takeover of the computer infected by a malevolent individual by a channel IRC.

HOW TO IDENTIFY THE WORM
ADDRESS:
The address of the shipper is usurped and uses as domain name the domain name of the address of the recipient, in order to seem to emanate from its supplier of access or its organization. Some examples:

• admin@ [field addresses recipient] (e.g. admin@wanadoo.fr if your FAI is Wanadoo)
• administrator@ [field addresses recipient] (e.g. administrator@wanadoo.fr if your FAI is Wanadoo)
• mail@ [field addresses recipient] (e.g. mail@hotmail.com if your FSI is Hotmail)
• service@ [field addresses recipient] (e.g. service@sncf.fr if your company is the SNCF)
• support@ [field addresses recipient] (e.g. support@free.fr if your FAI is Free)
  

• ALERT
• Free one year trial
• And Mastercard and Amex news aimed
• You' ve received year E-Card from has dear friend.
• Your account has been suspended for over use