Mytob worm family spreads rapidly, Sophos comments

June 02, 2005 Sophos Press Release

According to SophosLabs™, Sophos's global network of virus and spam analysis centres, the Mytob worms currently account for more than half of the top twenty viruses reported to Sophos in the last 48 hours, representing 42.9% of all virus reports.

One of the most widespread variants - Mytob-CM - was first seen on Friday, 27 May. Like many of its family members, Mytob-CM spreads via email in an infected attachment. It purports to warn users of security or account issues in its subject line, such as *DETECTED* Online User Violation, Your Email Account is Suspended For Security Reasons and Account Alert.

When the infected attachment is launched, Mytob-CM attempts to turn off security applications and deny access to many popular security websites, including www.sophos.com. It also attempts to open a backdoor onto the computer, allowing unauthorised and remote users to access the system.

"Not only do these side-effects make it more difficult for recipients to get assistance from security experts, the open backdoor and lack of security also leaves infected users open to a whole host of other attacks," said Carole Theriault, security consultant at Sophos. "It is important not to underestimate the power of such cluster attacks - together they form a malicious army of threats."

The creators of Mytob appear to be a group of virus writers called Hellbot. Having more than one writer may aid them in issuing several different variants in short time periods.

"The Mytob source codes suggest that the virus writers are following a carefully planned strategy, whereby the routine allows the virus to develop," continued Theriault. "By issuing many threats, all of which are tweaked slightly differently, they may be searching for the elements of their malicious code that will help them create a super worm."

Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam threats and secure their desktops and servers with automatically updated anti-virus protection.