Latest Mytob worms use a new trick to fool users, Sophos reports

June 08, 2005 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus and spam analysis centers, have warned that new versions of the Mytob worm are continuing to be spread across the internet, and that some have adopted a new technique to try and infect innocent computer users.

Hackers are releasing new versions of the Mytob worm all the time, and different variants of the worm currently account for 14 of the top 20 most commonly reported viruses to Sophos in the last 7 days.

However, Sophos researchers have revealed that some of the new variants are using a different method to try and infecting unsuspecting users. Whereas most of the Mytob worms arrive in email with a viral attachment, some new versions adopt a trick most commonly used by phishers - and include a faked web link pointing to the malicious code.

The Mytob worms turn off security programs on infected Windows computers and deny access to many popular security websites. They also attempt to open a backdoor onto the computer, allowing unauthorised remote hackers to gain access.

Emails sent by the new versions of the Mytob worm masquerade as a seemingly legitimate email from the recipient's IT department or ISP, and suggest that a security problem has been found with their email account. Users are advised to click on the web link to confirm their account. In a crafty twist, references are made to the recipient's domain name and email address to give the message more legitimacy.

For instance, emails sent by the new W32/Mytob-DA variant can have the following characteristics:

Subject line:
*IMPORTANT* Please Confirm Your Account

Message text:
Dear Valued Member,
According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.

http://www.<domain name>/confirm.php?email=<recipient's email address>

Thank you for your attention to this question. We apologize for any inconvenience.

Sincerely,<company name> Security Department Assistant.

An example of the kind of email which can be sent by the W32/Mytob-DA worm
An example of the kind of email which can be sent by new versions of the Mytob worm

Clicking on the link in the email message will not visit the domain name that is claimed, but instead visit a different website and download a copy of the worm.

"By using this disguise new versions of the Mytob worm attempt to lure the unwary into clicking on a dangerous web link," said Graham Cluley, senior technology consultant for Sophos. "This is a real headache for IT departments who often struggle to get their users to follow instructions. In this case, following the advice of the email would be a very bad idea."

The new versions of the Mytob worm contain a number of hidden messages. For instance, some claim the author's name is "DiablO" and contain debug strings such as "[x] starting Hellbot::v3 beta 2".

"All indications suggest that this isn't the last we will see of the Mytob worm. More versions seem certain to be released. It's imperative that everyone keeps their anti-virus protection up-to-date and practise safe computing," continued Cluley.

Sophos recommends companies automatically update their corporate virus protection, and filter attachments which may contain malicious code at the email gateway with a consolidated solution to defend against viruses and spam.