Latest Mytob worms use a new trick to fool users

Experts at SophosLabs, Sophos’s global network of virus and spam analysis centres, are warning that new versions of the Mytob worm are continuing to be spread across the internet – and many have adopted a new technique to try and infect innocent computer users.

Hackers are releasing new versions of the Mytob worm all the time, and different variants of the worm currently account for 14 of the top 20 most commonly reported viruses to Sophos in the last seven days.

Sophos researchers have revealed that some of the new variants are using a different method to try and infect unsuspecting users. Whereas most of the Mytob worms arrive in email with a viral attachment, some new versions adopt a trick most commonly used by phishers – and include a faked web link pointing to the malicious code.

Clicking on the link in the email message will not visit the domain name that is claimed, but instead visit a different website and download a copy of the worm.

Emails sent by the new versions of the Mytob worm masquerade as a seemingly legitimate email from the organisation’s IT department or ISP, and suggest to users that a security problem has been found with their email account. Users are advised to click on the web link to confirm their account. In a crafty twist, references are made to the recipient’s domain name and email address to give the message more legitimacy.

“By using this disguise, new versions of the Mytob worm attempt to lure the unwary into clicking on a dangerous web link,” said Graham Cluley, senior technology consultant for Sophos. “This is a real headache for IT departments which often struggle to get their users to follow instructions. In this case, following the advice of the email would be a very bad idea.”

The new versions of the Mytob worm contain a number of hidden messages. For instance, some claim the author’s name is ‘DiablO” and contain debug strings such as “[x] starting Hellbot::v3 beta 2’.

“All indications suggest that this isn’t the last we will see of the Mytob worm. More versions seem certain to be released. It’s imperative that everyone keeps their anti-virus protection up-to-date and practises safe computing,” continued Cluley.

Sophos recommends companies automatically update their corporate virus protection, and filter attachments which may contain malicious code at the email gateway with a consolidated solution to defend against viruses and spam.

More information and an image of the email message are available at:
http://www.sophos.com/virusinfo/analyses/w32mytobda.html

Don't miss