Computerworld - When I came into work after the weekend, a very interesting e-mail message was waiting for me. The message, with the subject line "Account Alert," appeared to be from our help desk. It requested that I read an attached document pertaining to my user account.
The attachment was named "account-info.exe." This was very alarming. We have invested heavily in various technologies to prevent e-mail with executable file attachments from making it through our external mail gateways, but it looked like one had gotten through. My fears were validated when others in the IT department said that they had received the same e-mail. Of course, a good percentage of the folks in the IT department know that executable file attachments should never be opened, since they are often used as vehicles for distributing malicious code. Unfortunately, there is apparently a substantial number of employees in our company who either didn't know this or were fooled into believing that the e-mail originated from a trusted source.
The timing of this message couldn't have been worse. As part of the process of synchronizing our user accounts, we have been sending out official communications to our users regarding the upcoming resetting of passwords. So users have grown accustomed lately to seeing important e-mail from the IT department. This e-mail didn't follow the official company communications format, but a lot of users didn't pay much attention to that. The result: Lots of users opened the attachment, and their machines got infected.
After we analyzed the attachment, we realized that our network was infected with the W32.Mytob.DP@mm worm. This worm is nasty. It does a lot of the usual stuff, such as adding entries to the host file, registry keys, services and so on. But it also includes its own mail relay, which allows it to find e-mail addresses, distribution lists and address books located in popular e-mail programs and send e-mail, including that executable attachment, to everyone it can find. In this way, it replicates itself. But W32.Mytob.DP@mm also attempts to open an Internet Relay Chat session within a certain chat room. If the worm is successful in connecting to the chat room, it sits idle, waiting for a command from the IRC server. This command can cause the infected system to download files or conduct other malicious activity.
I've seen such worms install keystroke-capturing programs and periodically send the keystroke information to the IRC server. That sort of activity wasn't observed in this case, but its potential to damage the company was still high.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
