Swift Mytob Worm is Back

Security firm MessageLabs detected a new variant of the Mytob worm and said it intercepted 100 copies within the first several hours of its discovery today.

Although it is similar to previous Mytob variants, this version of the malicious code, dubbed DoomBot, is delivered with a header warning individuals that their services are about to be closed.

However, the latest code appears to have more variants, said MessageLabs’ Senior Antivirus Researcher Maksym Schipka.

The file name on the attachment reads “important-details.txt.” Once executed, the variant installs itself to %sysdir%d.exe, joins a command and control channel named ‘r0x’ on the IRC server rax.oucihax.info.

“It is extremely similar in functionality to previous Mytobs,” said Schipka, who believes this variant came from the Chinese hacker group known as Evil Security.

The lead mischief maker, known as Mr. Evil, has said it is the last variant his group intends to produce, according to Schipka.

MessageLabs has detected and blocked more than 22,596 copies of new W32/Mytob variant from reaching its customers’ networks since its outbreak earlier this year.

In August, the swift-moving virus Microsoft warned that a possible security vulnerability impacting its Windows plug-and-play could be exploited. The Zotob worm did just that, hitting several media outlets hard, including ABC, CNN, The Associated Press and The New York Times, among others.

Later in the month, the FBI arrested Diabl0, also known as Farid Essebar, 18, of Morocco, and Atilla Ekici, 21, of Turkey, were arrested in their respective countries in connection with writing and releasing the Zotob and Mytob worms into the wild, according to the FBI.

News Around the Web