Three Minor New Mytob Variants
Symantec reports that three new low-risk versions of the Mytob family, which has gained some success in part thanks to the sheer number of different versions in existence, have appeared. The variants are Mytob.GM, Mytob.GN, Mytob.GP. Going soley by the naming conventions of Symantec, this makes the 195th, 196th, and 198th versions of Mytob discovered, respectively. At this time, all three variants are considered low-risk and it is unclear if they are spreading in the field at all.
Details
Mytob.GM and Mytob.GN were discovered Wednesday, June 29th, 2005; Mytob.GP was discovered Thursday, June 30th, 2005. Like past Mytob versions, these worms are mass-mailers. They also share several characteristics: all three disable shared network access, contact an IRC (Internet Relay Chat) server to open a backdoor on the infected system that hackers can enter through, block access to security web sites, and terminate antivirus programs and various types of security-related software programs. There are a number of important differences between the variants, though. The file names vary, though: Mytob.GM uses Lien Van de Kelder.exe, Mytob.GN uses Lien Vande Kelder.exe, and Mytob.GP uses deneme.exe. Additionally, Mytob.GP downloads a program known as Ranky.U that turns the infected computer into an unauthorized proxy server. The email subjects vary, although most of them suggest important information is enclosed, such as email account or password information, as does the email body.
Unlike many mass-mailers of international original (it is probable that the worm originates from Belgium), the grammar in the emails sent out is mostly realistic. The emails sound realistically professional enough (despite awkward lines such as “Thank you for your attention to this question“) as to not raise red flags, even among native English speakers. In the case of Mytob.GM, there is no attachment to the email, but rather a link. At the time of writing, the domain hosting the file still remained up, although I could not verify whether or not the specific account on the free hosting site had been disabled, which would effectively kill the worm's spread mechanism. The final detail that varies between the three is the IRC server used for the backdoor, which is either diablowashere.blackcarder.net on port 12000 (Mytob.GM and Mytob.GN) or hack3rz.turanduygu.com on port 3344 (Mytob.GP).
It is worth noting that because of the number of different variants, cases are often reported generically as “Mytob.“ Because of this, underreporting occurs, and occasionally Mytob versions that are spreading in the wild are listed as very low risks. Nonetheless, any significant spread by a Mytob variant would be noticed quickly. Just because an antivirus company lists a Mytob version as not spreading does not necessarily mean it is not. However, it does mean that spread is probably relatively limited. At this point, this appears to be the case for all three of these versions.
Protection
As these are fairly minor modifications of a large worm family, it is possible that a generic detection may already be in place for some antivirus programs. If not, detection should be available at the next regular update. No emergency detection files will probably be published due to the low-risk nature of these worms.
The Gist
Mytob variants GM, GN, and GP have the potential to spread, but so far appear to be very limited and pose a low-risk. However, users should remain vigilant and be wary of any email that purports to be a notification from their ISP, especially if it requests personal information or offers a file.
Links
Symantec - Mytob.GM write-up.
Symantec - Mytob.GN write-up.
Symantec - Mytob.GP write-up.
Symantec - Ranky.U write-up.