At the end of my boring shift, e mails started arriving and soon I was wide awake.
The emails contained in it a copy of a WORM_MYTOB, this is easily distinguished because of the hellmsn.exe drop file and other common WORM_MYTOB traits…or so I thought. :)
After I few minutes of looking at the malware body, I realized that it is again a WORM infected with PE_BOBAX.
At first I thought this was just a technique to raise the infection rate of PE_BOBAX. Now I’m realizing a new angle on this, it may also be done to avoid detection of the Infector itself (PE_BOBAX).
This is because most AV engineers would then be fooled to detect the INFECTED WORM, thus the nasty little bugger (I’m talking about PE_BOBAX here) that is carried by the WORM gets away, free to infect other files in the user’s system.
So far the most successfull in spreading is the one infected with WORM_MYTOB.
The emails contained in it a copy of a WORM_MYTOB, this is easily distinguished because of the hellmsn.exe drop file and other common WORM_MYTOB traits…or so I thought. :)
After I few minutes of looking at the malware body, I realized that it is again a WORM infected with PE_BOBAX.
At first I thought this was just a technique to raise the infection rate of PE_BOBAX. Now I’m realizing a new angle on this, it may also be done to avoid detection of the Infector itself (PE_BOBAX).
This is because most AV engineers would then be fooled to detect the INFECTED WORM, thus the nasty little bugger (I’m talking about PE_BOBAX here) that is carried by the WORM gets away, free to infect other files in the user’s system.
So far the most successfull in spreading is the one infected with WORM_MYTOB.
