All Ball State University computer users should be aware of an ongoing threat of the W32.Mytob.MX worm.  W32.Mytob.MX is a mass-mailing worm that also spreads through network shares.  It sends itself as an e-mail attachment to addresses gathered from the compromised computer.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

The Mytob.MX spreads to network shares, by generating random IP addresses and attempting to copy itself to the default shares of the computer corresponding to the IP address.  It uses the user name and password of the user currently logged in to the compromised computer as logon credentials, if the shares are password-protected.  It has the capability of downloading and executing files, restarting the compromised computer and starting an FTP server on a random TCP port.

MyTob.MX has the following characteristics:

• From: [SPOOFED]
• Subject:
  One of the following:
  
  -  DETECTED Online User Violation
  -  Important Notification
  -  MEMBERS SUPPORT
  -  Notice Account limitation
  -  Security Measures
  -  WARNING MESSAGE YOUR SERVICES NEAR TO BE CLOSED
  -  You have successfully updated your password
  -  Your Account is Suspended
  -  Your Account is Suspended for Security Reasons
  -  Your password has been successfully updated
  -  Your Password has been updated
  
• Message:
  One of the following:
  
  Dear [DOMAIN NAME] Member,
  Your e-mail account was used to send  a huge amount of unsolicited spam messages during the recent week.  If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
  
  Virtually yours,
  The [DOMAIN NAME] Support Team
  
  Dear [DOMAIN NAME] Member,
  We have temporarily suspended your email account [COMPLETE EMAIL ADDRESS].  This might be due to either of the following reasons:
  1.  A recent change in your personal information (i.e. change of address).
  2.  Submiting invalid information during the initial sign up progress.
  3.  An inability to accurately verify your selected option of subscription due to an internal error within our processors.  See the details to reactivate your [DOMAIN NAME] account.
  
  Sincerely, TheSupportTeam
  
  +++ Attachment:  No Virus (Clean)
  +++ [DOMAIN NAME] Antivirus – www. [DOMAIN NAME]
  
  Dear [DOMAIN NAME] Member,
  Some information about your [DOMAIN NAME] account is attached.
  The [DOMAIN NAME] Support Team
  
• Attachment:
  One of the following:
  -  accepted-password
  -  account-details
  -  account-info
  -  account-password
  -  account-report
  -  approved-password
  -  documeng
  -  email-details
  -  email-password
  -  important-details
  -  new-password
  -  password
  -  readme
  -  updated-password
  

The attachment will contain the following file, which is a copy of the worm.

Some ways this message might be spotted as a hoax:

1. The attachment name appears as Deleted Attachment.txt
2. You should receive all security related issues (viruses, spam and hoaxes) from the BSU Computer Security Response Team.
3. Misspellings throughout the e-mail.

To protect your PC from this worm you should be running Symantec Antivirus to detect this threat.  If you do not have Symantec Antivirus already installed on your computer system please visit http://www.bsu.edu/antivirus/.

Also all Windows computer users should be perform regular updates by going to http://windowsupdate.microsoft.com/ or by configuring the Windows Update Service to perform automatic updates to your computer.