Early this morning we released an update for Net-Worm.Win32.Mytob.eg.
Since then we've been seeing a clear increase in the number of samples.
This variant doesn't really differ from earlier variants, it's just a very basic Mytob. However, it is spreading which means that users should be on the lookout.
It spreads via email and contains a limited IRCBot which only has support for basic features such as downloading files.
As is usually the case with Mytob, the email message that brings the worm closes with a statement purporting to be from an antivirus company, saying that no viruses have been found.
This variant is spreading actively, so be smart, don't be fooled.
We've been seeing a lot of new Mytob variants recently. It's less than three months since we added detection for Mytob.a and already we're well into double figures. In the last day or so we've added detection for Mytob.au (and there's a lot of Mytob.au out there!), Mytob.av and Mytob.aw. If it were not for generic signatures, there would be a lot more!
Generic detection lets us detect multiple variants of the same malware family using a single virus definition ... sometimes tens or even hundreds of threats! The use of hundreds of unpackers within the Kaspersky® antivirus engine has the same effect: re-packed variants are often detected without the need for a new definition.
The down side is that the suffix used to identify some new threats may not match that used by other antivirus vendors. This is especially true for 'successful' threats that spawn large numbers of variants.