Mytob variant hides sting in the tail

Hackers are releasing new versions of Mytob all the time

IT security experts today warned that mutant versions of the Mytob worm more virulent than its predecessors are spreading rapidly across the internet.

Hackers are releasing new versions of Mytob all the time, according to security firm Sophos, and different variants currently account for 14 of the top 20 most commonly reported viruses to the firm in the past seven days.

Researchers have revealed that some of the new variants use a different method to try and infect unsuspecting users.

Whereas most Mytob worms arrive in an email with a virus attachment, the latest versions adopt a trick most commonly used by phishers: a faked web link pointing to the malicious code.

Clicking on the link will not visit the domain name that is claimed, but takes users to a different website where the worm is automatically downloaded.

Emails sent by these mutant versions of Mytob masquerade as a seemingly legitimate email from an organisation's IT department or ISP, and suggest to users that a security problem has been found with their email account.

Users are advised to click on the web link to confirm their account. In a crafty twist, references are made to the recipient's domain name and email address to give the message more legitimacy.

The new versions of Mytob contain a number of hidden messages. For instance, some claim the author's name as 'DiablO" and contain debug strings such as '[x] starting Hellbot::v3 beta 2'.

"By using this disguise, new versions of Mytob attempt to lure the unwary into clicking on a dangerous web link," said Graham Cluley, senior technology consultant at Sophos.

"This is a real headache for IT departments which often struggle to get their users to follow instructions. In this case, following the advice of the email would be a very bad idea."