The MYTOB worm is spreading rapidly in Hungary as well

Trend Micro maintains a medium level alert for the latest variants of the MYTOB worm - the last 2 versions have been detected in many countries, including Hungary.

In the past 2 months, since its release on February 2005, 26, more than 100 variants of the MYTOB worm have been identified by TrendLabs, Trend Micro’s global virus protection research and support center. According to today's statistics of Vírushiradó, 7 variants of MYTOB have appeared and caused damage in Hungary in the last 39 days, resulting in a total of 588.037 infections in the freemail mail system. This accounts for nearly 7% of attacks in the last 30 days, with a total infected file containing 2 million emails.

The mode of transmission of MYTOB
Like previous versions, this memory-resident worm spreads by sending copies of itself as a file attached to e-mail messages to recipients through its own Simple Mail Transfer Protocol (SMTP) engine. Once launched, the worm downloads a spyware program that places advertisements on the victims ’computers. The worm is also capable of opening back doors and has a built-in Internet Relay Chat (IRC) stick that allows it to connect to a specified IRC server.

Tactics used for spread
The classic tactic, which exploits the credibility of users, presents MYTOB as an important message for a particular email mailbox, as if the message were sent by an administrator. The worm can arrive in a number of letters with different themes and body text. It asks the user to respond to the email if they want to avoid disabling or terminating their mailbox.

A recommendation from a Trend Micro expert on defense
“This isn’t the first time we’ve seen such tactics based on user credibility from the makers of malicious code, and celebrity names have been featured in malicious apps before. However, the growing number of spyware and advertisements used in conjunction with backdoor capabilities is already a cause for concern, as these applications allow an attacker to deceive their victim. Trend Micro recommends that administrators disable the use of non-essential file extensions, such as .exe, .pif, and .scr files, and end users not to open suspicious e-mails and attachments, and ensure that to keep the sample antivirus files up to date. " Said David Kopp, Head of TrendLabs EMEA.

Trend Micro customers are protected against this threat by using the latest sample file No. 2.653.00. Outbreak Prevention Services customers can protect against the spread of this threat by downloading OPP 177 (or later) infection prevention policies. Customers who use Damage Cleanup Services can facilitate the automatic recovery of affected systems by downloading template file 622.

For other users, we recommend Trend Micro's free online antivirus service, Housecall, which is available at http://housecall.trendmicro.com/.

WORM_MYTOB.BI and WORM_MYTOB.AR
After launching the worm, it places a file in Windows system folders, often named after a famous Belgian actress, Lien Van de Kelder. The spyware component, identified as TSPY_AGENT.H, allows an attacker to track mouse clicks on the mediatickets.net spyware website to track infection rates and user preferences.