Attack of the Mytob worms - Several new variants - Security Protection

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Attack of the Mytob worms - Several new variants

McAfee has highlighted 13 new variants during June (one for each day so far). Mytob is one of the most advanced worms and virus writers can easily modify the source code to develop new variants AV vendors must adjust for. This virus hides in a stealth like manner and appears as an email message from an administrator.

Mytob may be worst virus of 2005

The Mytob family is one of the worst of 2005 so far. The Netsky variants continue to be reported as #1 in volume each month. Netsky.P is like the Klez.H worm a few years ago. However, the older Netsky variants are better blocked with current AV definitions.

Each day the virus writers can easily modify the Mytob source code, seed fresh copies, and create new versions that AV products cannot detect. This requires AV vendors to scramble in providing protection for the latest code derivations and compression techniques. Probably, since this family was introduced during March 2005, we are most likely averaging one new copy per day.

Some key reasons are:

* It is stealth-like and it can hide on an infected PCs while lowering security settings.
* It is socially engineered well and appears as an official message from an email administrator (thankfully, most copies use same email format which can be blocked with proper rules)
* Some Mytob variants can exploits some unpatched Microsoft security vulnerabilities (MS04-011),
* It usually carries a secondary payload (e.g., Spybot, Backdoor) which in an unpatched corporate network can spread rapidly

13 new versions in 13 days

http://vil.nai.com/VIL/newly-discovered-viruses.asp

W32/Mytob.cv   06/13/2005 Low Low 4513
W32/Mytob.ch   06/11/2005 Low Low 4512
W32/Mytob.cg   06/11/2005 Low Low 4512
W32/Mytob.cc   06/08/2005 Low Low 4510
W32/Mytob.ca   06/08/2005 Low Low 4509
W32/Mytob.bx 06/07/2005 Low Low 4508
W32/Mytob.gen!eml   06/07/2005 Low Low 4508
W32/Mytob.bw   06/06/2005 Low Low 4508
W32/Mytob.bv   06/06/2005 Low Low 4508
W32/Mytob.br   06/05/2005 Low Low 4507
W32/Mytob.bo   06/02/2005 Low Low 4506
W32/Mytob.bl   06/01/2005 Low Low 4505
W32/Mytob.bk   06/01/2005 Low Low 4504

EMAIL messages to avoid

The virus arrives in an email message from a systems administrator. Always verify these types of messages from your email provider and never click on either links or attachments in an email message even if it looks official.

The general format of Mytob messages are as follows:

From: (Spoofed email sender - may choose from the following list)
support
administrator
mail
service
admin
info
register
webmaster

Subject: (Varies, such as)

Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation

Posted: Jun 13 2005, 09:59 PM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.