Sophos virus analysis: W32/Mytob-CP

Mean old nasty virus! Just had quick bout with a MYtob-CP variant. The closest match I could find was here.

The one I ran into was a mutlimailer. Placed an exe called www.lienvandekelder.be.exe in the windows system32 directory, and added registry settings in run services, and run. The really neat thing about it was that it killed processes, like command (cmd), task manager, antivurus, and all sorts of other good ones.

This one sends emails saying that your email account has been suspended, with a zip file attached. The zip file has a pif or .scr file in it.

Luckily I only had one user who opened it. So it cleaned up quickly.