Multiple Mytob variants cause outbreak

Multiple Mytob variants cause outbreak

Kaspersky Lab, a leading developer of secure content management solutions, has detected a large number of new modifications of Net-Worm.Win32.Mytob. At the time of writing, Kaspersky Lab virus analysts have detected 26 variants of the worm, and it seems highly likely that there are more to come. The new versions of Mytob, and the speed at which they are spreading, have caused a significant outbreak.

Net-Worm.Win32.Mytob.c, which was first detected on the 1st March, represents a particular threat. It is responsible for 30% of the malicious code detected in mail traffic over the past three weeks. And five or six other versions of Mytob family have places in the Kaspersky Lab Virus Top Twenty, which goes to show just how fast these worms are spreading.

Mytob is based on Mydoom.a source code, and infects computers running Windows. It penetrates victim machines both via a vulnerability in the Windows LSASS service and as an attachment to infected email messages.

Once launched, the worm copies itself to the Windows system directory, and registers this file in the system registry. This ensures that a copy of the worm will be launched each time Windows is rebooted. The worm harvests email addresses from the infected machine's file system. It will not, however, send itself to certain addresses which appear to belong to antivirus companies, software developers, or educational institutions among others. (Click here for a full list).

At the same time, Mytob selects IP addresses to attack, and sends a request to TCP port 445 on the potential victim machine. If the remote computer responds, the worm will launch its code on this new victim machine via the LSASS vulnerability. In addition to this replication mechanism, Mytob worms also contain a bot component, which enables a remote malicious user to access information saved on the victim machine and control it via IRC channels.

This outbreak could also potentially be exacerbated by the latest Microsoft security update, which listed several new vulnerabilities, 5 of them rated critical. If virus writers decide to exploit these vulnerabilities, it could cause a global epidemic. “We're certain that the computer underground is working actively on creating new and even more dangerous malicious code which will exploit these loopholes. To keep your data safe, we strongly recommend that you download and install the latest Microsoft patches now,” said Eugene Kaspersky, head of Anti-Virus Research at Kaspersky Lab.

Kaspersky Anti-Virus databases have already been updated with detection for Mytob worms. You can find more information about this family of malicious programs in the Kaspersky Virus Encyclopaedia.

14 Apr 2005