Experts at SophosLabs™, Sophos's global
network of virus and spam analysis centers, have warned that new
versions of the Mytob worm are continuing to be spread across the
internet, and that some have adopted a new technique to try and
infect innocent computer users.
Hackers are releasing new versions of the Mytob worm all the
time, and different variants of the worm currently account for 14
of the top 20 most commonly reported viruses to Sophos in the last
However, Sophos researchers have revealed that some of the new
variants are using a different method to try and infecting
unsuspecting users. Whereas most of the Mytob worms arrive in email
with a viral attachment, some new versions adopt a trick most
commonly used by phishers - and include a faked web link pointing
to the malicious code.
The Mytob worms turn off security programs on infected Windows
computers and deny access to many popular security websites. They
also attempt to open a backdoor onto the computer, allowing
unauthorised remote hackers to gain access.
Emails sent by the new versions of the Mytob worm masquerade as
a seemingly legitimate email from the recipient's IT department or
ISP, and suggest that a security problem has been found with their
email account. Users are advised to click on the web link to
confirm their account. In a crafty twist, references are made to
the recipient's domain name and email address to give the message
For instance, emails sent by the new W32/Mytob-DA variant can
have the following characteristics:
*IMPORTANT* Please Confirm Your Account
Dear Valued Member,
According to our site policy you will have to confirm your
account by the following link or else your account will be
suspended within 24 hours for security reasons.
Thank you for your attention to this question. We apologize
for any inconvenience.
Sincerely,<company name> Security Department
An example of the kind of email which can be
sent by new versions of the Mytob worm
Clicking on the link in the email message will not visit the
domain name that is claimed, but instead visit a different website
and download a copy of the worm.
"By using this disguise new versions of the Mytob worm attempt
to lure the unwary into clicking on a dangerous web link," said
senior technology consultant for Sophos. "This is a real headache
for IT departments who often struggle to get their users to follow
instructions. In this case, following the advice of the email would
be a very bad idea."
The new versions of the Mytob worm contain a number of hidden
messages. For instance, some claim the author's name is "DiablO"
and contain debug strings such as "[x] starting Hellbot::v3 beta
"All indications suggest that this isn't the last we will see of
the Mytob worm. More versions seem certain to be released. It's
imperative that everyone keeps their anti-virus protection
up-to-date and practise safe computing," continued Cluley.
Sophos recommends companies automatically update their corporate
virus protection, and filter attachments which may contain
malicious code at the email gateway with a consolidated solution to defend against viruses