Attack of the Mytob worms - Several new variants
McAfee has highlighted 13 new variants during June (one for each day so far). Mytob is one of the most advanced worms and virus writers can easily modify the source code to develop new variants AV vendors must adjust for. This virus hides in a stealth like manner and appears as an email message from an administrator.
Mytob may be worst virus of 2005
The Mytob family is one of the worst of 2005 so far. The Netsky variants continue to be reported as #1 in volume each month. Netsky.P is like the Klez.H worm a few years ago. However, the older Netsky variants are better blocked with current AV definitions.
Each day the virus writers can easily modify the Mytob source code, seed fresh copies, and create new versions that AV products cannot detect. This requires AV vendors to scramble in providing protection for the latest code derivations and compression techniques. Probably, since this family was introduced during March 2005, we are most likely averaging one new copy per day.
Some key reasons are:
* It is stealth-like and it can hide on an infected PCs while lowering security settings.
* It is socially engineered well and appears as an official message from an email administrator (thankfully, most copies use same email format which can be blocked with proper rules)
* Some Mytob variants can exploits some unpatched Microsoft security vulnerabilities (MS04-011),
* It usually carries a secondary payload (e.g., Spybot, Backdoor) which in an unpatched corporate network can spread rapidly
13 new versions in 13 days
W32/Mytob.cv 06/13/2005 Low Low 4513
W32/Mytob.ch 06/11/2005 Low Low 4512
W32/Mytob.cg 06/11/2005 Low Low 4512
W32/Mytob.cc 06/08/2005 Low Low 4510
W32/Mytob.ca 06/08/2005 Low Low 4509
W32/Mytob.bx 06/07/2005 Low Low 4508
W32/Mytob.gen!eml 06/07/2005 Low Low 4508
W32/Mytob.bw 06/06/2005 Low Low 4508
W32/Mytob.bv 06/06/2005 Low Low 4508
W32/Mytob.br 06/05/2005 Low Low 4507
W32/Mytob.bo 06/02/2005 Low Low 4506
W32/Mytob.bl 06/01/2005 Low Low 4505
W32/Mytob.bk 06/01/2005 Low Low 4504
EMAIL messages to avoid
The virus arrives in an email message from a systems administrator. Always verify these types of messages from your email provider and never click on either links or attachments in an email message even if it looks official.
The general format of Mytob messages are as follows:
From: (Spoofed email sender - may choose from the following list)
Subject: (Varies, such as)
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Email Account Suspension
Notice of account limitation