VIRUS: W32.Mytob.EY@mm on a Mac ???

I seem to have all the symptoms of having caught the W32.Mytob.EY@mm
(identified 16th June 05) virus via an email attachment. Symantec only
lists fixes for PC windows. Has anyone else got it (on a Mac) and what
do we do?

Thanks,

Bruce
Thu Jun 16 13:28:09 CDT 2005

This is a windows only virus so it cannot under any circumstances affect
Entourage on the Mac. If you have VPC installed and are running windows
then the VPC environment can catch this bug. If that is the case then you
can use the standard Windows virus removal an checking tools. According to
Symantec there are no Mac viruses at this time. Perhaps you should describe
your symptoms in more detail.

Bruce



On 6/16/05 2:05 PM, in article
1118945142.364992.13930@g14g2000cwa.googlegroups.com, "Tim Oldham"
<tim@strict-time.com> wrote:

> I seem to have all the symptoms of having caught the W32.Mytob.EY@mm
> (identified 16th June 05) virus via an email attachment. Symantec only
> lists fixes for PC windows. Has anyone else got it (on a Mac) and what
> do we do?
>
> Thanks,
>

Tim
Thu Jun 16 17:41:45 CDT 2005

Thanks for replying. I seem to get the messages from my own server, as
though sent from my own <domain>. The following have all come my way in
droves:

1: The email has the following characteristics: From: One of the
following:
serg, mary, ray, tom, peter, robert, bob (etc.)

2: I also get one of 4 messages like this:
Message: One of the following:

Dear user [USER NAME],
You have successfully updated the password of your [DOMAIN] account.If
you did not authorize this change or if you need assistance with your
account, please contact [DOMAIN] customer service at: [SPOOFED EMAIL]
Thank you for using [DOMAIN]!
The [DOMAIN] Support Team
+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[FULL DOMAIN]

3: Attachment: (for me a .zip file)
One of the following:

updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-report

So it really looks like the above mentioned virus, but maybe it is not
ME that is generating it ?? (even though it is solely using my
web-hosting domain name...)

Thanks again,

Tim

Steven
Thu Jun 16 20:07:03 CDT 2005

On 6/16/05 2:05 PM, in article
1118945142.364992.13930@g14g2000cwa.googlegroups.com, "Tim Oldham"
<tim@strict-time.com> wrote:

> I seem to have all the symptoms of having caught the W32.Mytob.EY@mm
> (identified 16th June 05) virus via an email attachment. Symantec only
> lists fixes for PC windows. Has anyone else got it (on a Mac) and what
> do we do?

It's a Windows virus and therefore cannot execute on your Mac. There has to
be some other cause.

Bruce
Thu Jun 16 20:54:07 CDT 2005

It appears that perhaps you have a windows server for your email and it may
be infected or there is a Windows machine on your domain which has the virus
and is forwarding the trash email through your server. But you can rest
assured that the problem is not caused by your Mac.

Good luck finding this one.

Bruce


On 6/16/05 9:07 PM, in article BED79A77.2CCB%steven@sanctuaryweb.org,
"Steven W. Buehler" <steven@sanctuaryweb.org> wrote:

> On 6/16/05 2:05 PM, in article
> 1118945142.364992.13930@g14g2000cwa.googlegroups.com, "Tim Oldham"
> <tim@strict-time.com> wrote:
>
>> I seem to have all the symptoms of having caught the W32.Mytob.EY@mm
>> (identified 16th June 05) virus via an email attachment. Symantec only
>> lists fixes for PC windows. Has anyone else got it (on a Mac) and what
>> do we do?
>
> It's a Windows virus and therefore cannot execute on your Mac. There has to
> be some other cause.
>

Kevin
Thu Jun 16 22:07:21 CDT 2005

Whomever is spoofing you is forging your domain in the Return-path and
>From fields for mail sent to you so that you think it is legitimate.

I am receiving the same type of email - and in a flurry over the past
few days.

Upon review of the message headers, the messages appear to be coming
from these IP addresses (here are two and I deleted a message with yet
another; these may be forged):

204.42.19.194 - Verio
24.15.141.54 - Comcast

The "From" value is most often:

administrator@yourdomain.com
info@yourdomain.com
service@yourdomain.com
register@yourdomain.com

I don't think a Mac user need worry unless s/he opens one of the zip
attachments while running VPC.

Tim
Fri Jun 17 06:31:08 CDT 2005

Many thanks everyone. I don't run VPC. I downloaded the latest Mac
definitions from Symantec after midnight (new defs 16th June) and a
virus scan has found (and quarantined for the moment) at least 6 copies
of WW.32.Mytob.EE@mm in the following path (roughly translated as I
have a French Office X):

Where: /Users/(me)/Documents/Microsoft Users Database/saved
attachments/account-details.txt 3.pif

On checking the Source of one arrival this morning, I found it had in
fact come from one of my clients, but was spoofing my domain name:

Received: from (my domain name) (ll.myclient.co.uk) [217.19.xxx.x])
...the numbers are not my IP address.

Thanks again for the help,

Tim

Daiya
Fri Jun 17 09:39:55 CDT 2005

I've been getting all the same messages from webmaster@myschool.edu. I
guess if I were the webmaster for my own domain, that would be freaky.

By the way, if you had never opened the attachment it would not have showed
up in the saved attachments folder.


On 6/17/05 4:31 AM, "Tim Oldham" wrote:

> Many thanks everyone. I don't run VPC. I downloaded the latest Mac
> definitions from Symantec after midnight (new defs 16th June) and a
> virus scan has found (and quarantined for the moment) at least 6 copies
> of WW.32.Mytob.EE@mm in the following path (roughly translated as I
> have a French Office X):
>
> Where: /Users/(me)/Documents/Microsoft Users Database/saved
> attachments/account-details.txt 3.pif
>
> On checking the Source of one arrival this morning, I found it had in
> fact come from one of my clients, but was spoofing my domain name:
>
> Received: from (my domain name) (ll.myclient.co.uk) [217.19.xxx.x])
> ...the numbers are not my IP address.
>
>
> Thanks again for the help,
>
> Tim
>

Tim
Fri Jun 17 10:49:01 CDT 2005

You are right, it is freaky. And it is the only reason I (stupidly)
clicked on the .zip file. It all seemed to be addressed to me from my
Web Hosting Company.
Still, hindsight and all that...won't get caught again. It is
interesting however that the Symantec Mac defs from yesterday were
armed and picked it out during the virus inspection this morning...even
though we are told our Macs should not get this stuff...

mmmmark
Fri Jun 17 13:25:32 CDT 2005

Just because we have Macs doesn't mean we won't _get_ the stuff, it just
means that the "payload" on the attached nuclear missile will have no effect
on our so-far impenetrable OS. It has no effect on OS X since the
virus/trojan/malware was written to exploit one or more of the flavors of
Windows. Consider the virus as something like ebola, the plague or aids...
Then consider that we are immune to them all and can live without fear.

That's why we Mac users are always smiling. :-)

However, keep in mind that as a good netizen, it is best to employ virus
protection to keep from innocently passing along a virus to our
friends/relatives that OUR using a susceptible operation system. Also,
eventually an OS X virus will probably rear its ugly head, so be vigilant.

-Mark


"Tim Oldham" <tim@strict-time.com> wrote in message
news:1119023341.202110.103870@z14g2000cwz.googlegroups.com...
> You are right, it is freaky. And it is the only reason I (stupidly)
> clicked on the .zip file. It all seemed to be addressed to me from my
> Web Hosting Company.
> Still, hindsight and all that...won't get caught again. It is
> interesting however that the Symantec Mac defs from yesterday were
> armed and picked it out during the virus inspection this morning...even
> though we are told our Macs should not get this stuff...
>

Tim
Fri Jun 17 16:45:17 CDT 2005

Wise words indeed, thanks Mark. It may be our turn someday. And
although I obviously didn't open the .zip attachment, another one got
through this evening that went straight past the Norton Antivirus that
found the offenders during a full scan this morning. So the Autoprotect
doesn't actually spot the attachments and their payload on the way in?

Tim

Kevin
Sat Jun 18 00:01:07 CDT 2005

You said:
So the Autoprotect doesn't actually spot the attachments and their
payload on the way in?


Only if it is integrated with your mail client.