According to SophosLabs™, Sophos's global network of virus and
spam analysis centres, the Mytob worms currently account for more
than half of the top twenty viruses reported to Sophos in the last
48 hours, representing 42.9% of all virus reports.
One of the most widespread variants - Mytob-CM
- was first seen on Friday, 27 May. Like many of its family
members, Mytob-CM spreads via email in an infected attachment. It
purports to warn users of security or account issues in its subject
line, such as *DETECTED* Online User Violation, Your
Email Account is Suspended For Security Reasons and
When the infected attachment is launched, Mytob-CM attempts to
turn off security applications and deny access to many popular
security websites, including www.sophos.com. It also attempts to
open a backdoor onto the computer, allowing unauthorised and remote
users to access the system.
"Not only do these side-effects make it more difficult for
recipients to get assistance from security experts, the open
backdoor and lack of security also leaves infected users open to a
whole host of other attacks," said Carole Theriault, security
consultant at Sophos. "It is important not to underestimate the
power of such cluster attacks - together they form a malicious army
The creators of Mytob appear to be a group of virus writers
called Hellbot. Having more than one writer may aid them in issuing
several different variants in short time periods.
"The Mytob source codes suggest that the virus writers are
following a carefully planned strategy, whereby the routine allows
the virus to develop," continued Theriault. "By issuing many
threats, all of which are tweaked slightly differently, they may be
searching for the elements of their malicious code that will help
them create a super worm."
Sophos recommends companies protect their email with a
consolidated solution to thwart the virus and spam threats and
secure their desktops and servers with automatically updated