Home of the World Famous VIRUS BUSTERS
Download Antivirus Software
What to Do If You Have a Virus
Virus Filtering
Viruses Seen at U-M
Hoaxes, Hooey, and Hogwash
Urban Legends
U-M Resources
Other Resources
Contact Us
We Ain't 'Fraid O' No Virus!

Mytob.IJ Virus Sends Fake "Account Termination" E-Mail

Summary

Virus/Worm/Trojan Name: W32/Mytob.IJ@MM
Discovered: 10/24/06
Minimum DATs for detection/protection: 4881, deployed all across campus update servers by 10/25/06 12:32—should be on workstations connected to the 'Net within an hour
Protective filters installed on the U-M e-mail gateway: Yes. Temporary fixes 10/24/2006 23:05; 10/25/2006 00:30 and 02:50; 4881 DATs 10/25/2006 12:35.
Gateway Notes: Binary blocked first, then the e-mail was blocked manually based on the e-mail text, and then a virus-specific block was applied until the 4881 DATs became available.
Affected systems: Windows computers only, although users of other systems may see messages sent by the virus.
This page last updated: 10/26/06, 10:45 p.m.

How the Virus Spreads

The virus sends e-mail pointing to a link that has an infected file. To get the infected file on your machine (Windows machines only), you have to click the link in the message.

U-M's Windows anti-virus software, VirusScan, protected against the virus within hours of its discovery. Therefore, as long as you have VirusScan installed and set for automatic updates, you could only have gotten infected if you clicked the link during the time between when the virus was discovered and when your anti-virus software was auto-updated to deal with it.

What You Are Likely to See

Mytob.IJ sends e-mail that

  • Appears to come from "abuse@umich.edu"—forged, of course.

  • Usually (but not always) has a Subject: line of "Account Alert."

  • The body text says

    Dear Valued Member,
    According to our terms of services, you will have to confirm your e-mail by the following link, or your account will be suspended for security reasons.

    After following the instructions in the sheet, your account will not be interrupted and will continue as normal. Thanks for your attention to this request. We apologize for any inconvenience.

Symptoms of Infection

Infected machines start sending messages to further spread the virus (messages that appear to come from abuse@umich.edu, but are actually being sent from an infected computer). If you have VirusScan 8 installed—that's what the University licenses—then you'll probably get LOTS of alerts that an e-mail was blocked. The anti-virus software is blocking your computer from sending messages that would spread the infection further.

What to Do If Your Computer Is Infected

Disinfect your computer. Contact the U-M Virus Busters (virus.busters@umich.edu) if you need assistance.

If you do not already have anti-virus software installed on your computer, install anti-virus software and set it to automatically update itself. If you install VirusScan, this automatic updating is built-in. See our What to Do If You Have a Virus page for instructions.

NOTE: The Virus Busters Team is contacting folks we know to be infected, and we will continue to notify people until we've contacted everyone (or the ISPs of the victims, as appropriate) we know to be infected—at U-M, or elsewhere.

Safe Computing Tips

  • Never open unsolicited e-mail attachments.

  • Never click links in unsolicited e-mail messages.

  • If you think that an unsolicited e-mail may be valid, your best bet is to try to contact the sender and ask about the message—preferably by a medium other than e-mail. If the purported sender claims to know nothing about the e-mail, you will know that the e-mail was likely forged and that you should just delete it. If in doubt as to the validity of a message, keep a copy of it and ask the Virus Busters (virus.busters@umich.edu) for advice.

  • If you really want to click a link in an unsolicited e-mail message, reduce your risk by waiting 24 to 48 hours after receiving the message. This allows time for your anti-virus software to receive any automatic updates for new viruses and increases the chances that your computer will be protected against any viruses or other malware you might encounter.

  • Be aware that links in e-mail messages are not always what they appear to be—they can direct you to a URL other than the one that is displayed. This, in fact, is the case for Mytob.IJ. It's not perfect protection (because a link can always be malicious in its own right), but it is much safer to type the link you see than it is to click on it. If you are careful, you might try copying the link and pasting it into your browser. But if you do that, you run the risk of clicking by mistake—so "good old-fashioned typing" is the safest approach.

For more tips, see our Security Recommendations.

For More Information

See McAfee's Mytob.IJ write-up (leaving our site).

This information can be freely reproduced in any medium as long as the information is unmodified.  

U-M Virus Busters

virus.busters@umich.edu

ITS | University of Michigan
Copyright © 1996-2008 The Regents of The University of Michigan

visits since this site was redesigned 5/21/04

This page last updated October 26, 2006