By Matt Hines
Wednesday, March 30 2005 09:23 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,39223788,00.htm

With eight new variants surfacing in the last week alone, and over a dozen reported since the beginning of March, the Mytob mass-mailing worm appears to be evolving rapidly.

On Monday, security software maker Symantec reported two new versions of the virus, labeled as W32.Mytob.R and W32.Mytob.S. Both worms achieved a low or moderate threat rating from Symantec, as have earlier variants of Mytob, but the company is still recommending that people update their security software immediately to protect against the emerging threat.

Like other iterations of Mytob, the two latest versions are distributed via mass e-mail campaigns, feature so-called backdoor capabilities, and attack computers running on Microsoft's Windows operating system. The worm uses its own SMTP (Simple Mail Transfer Protocol) engine to forward itself to e-mail addresses that it gathers from infected computers. The threat also spreads by exploiting the Local Security Authority Service Remote Buffer Overflow in the Windows operating system, an opening that the software giant has already addressed in its periodic security updates.

Symantec has tracked numerous variations of the two new Mytob worms, with each threat being distributed from a number of different sender names and featuring a range of e-mail subject headers and message texts. Both Mytob.R and Mytob.S arrive in e-mails offering subject tags including the phrases "good day" or "mail transaction failed."

Most of the 13 iterations of the virus discovered since the beginning of 2005 are nearly identical, but one version, W32.Mytob.Q, which was reported by Symantec on Sunday, harbors a second low threat virus, W32.Pinfi.