4/8: Mytob-S Worm Continues to Flourish
April 8, 2005

Anti-virus vendors continue to issue alerts for mass-mailing Mytob worm variant and backdoor Trojan W32/Mytob-S. According to Sophos, W32/Mytob.S targets users of Internet Relay Chat programs.

The worm drops the files msdirectx.sys (detected by Sophos's anti-virus products as Troj/NtRootK-F), winsys.exe (detected by Sophos's anti-virus products as Troj/Furoot-B) and coolbot.exe (detected by Sophos's anti-virus products as W32/Mytob-H). Note that W32/Mytob-S uses the filename "coolbot.exe" for both a copy of the original worm in the Windows system folder and as the dropped file in the root folder, though they are different files.

W32/Mytob-S is capable of spreading through email and through various operating system vulnerabilities.

More information can be found at Sophos page.