There is a new MyTob variant that is making the round on the net. It successfully propagates by sending a fake email with the embedded link pointing to the copy of itself. See below for the email details.
Subject: Account Alert
Email Details:Sincerely, {random} Security Department
http://www.{random}/confirm.php?account={random}
Dear Valued Member,
According to our terms of services, you will have to confirm your e-mail by the following link, or your account will be suspended within 24 hours for security reasons.
After following the instructions in the sheet, your account will not be interrupted and will continue as normal.
Thanks for your attention to this request. We apologize for any inconvenience.
The link being displayed in the email actually points to
http://204.{blocked}/Confirmation_Sheet.pif, which is the copy of the worm itself.
It also has a backdoor capability wherein the attacker can retrieve system information and download and execute file on the affected system by joining the affected system to an ‘attacker-owned’ IRC server.
Note:
The malicious file has been given the detection name WORM_MYTOB.MR.
