Mytob is a worm malware family active in 2005 and closely associated with the Zotob outbreak. The provided content describes Zotob as a variant or descendant of Mytob, with researchers assessing that the Zotob author had access to Mytob source code, removed Mytob’s email-spreading functionality, and added exploit code for the Windows Plug-and-Play vulnerability addressed by MS05-039. Mytob is also described as related to Zotob and Zytob, with shared infrastructure noted in that an IRC server used by Zotob had also been used by a previous Mytob version.
According to F-Secure, there were around 70 known Mytob variants, and practically all Mytob variants created botnets on infected machines. Some Mytob botnets were reportedly controlled by unrelated groups, including Blackcarder, and earlier Mytob variants downloaded additional components from a site associated with 0x90-Team. The content links numerous Mytob variants to the handle "Diabl0" as circumstantial evidence, and states that F-Secure believed "Diabl0" was likely responsible for several Mytob variants, though not all of them. Multiple sources in the content emphasize that several authors likely had access to Mytob source code and continued producing variants, including after Farid Essebar’s arrest.
The content directly mentions Mytob’s email-spreading functionality, IRC-based botnet behavior, and monetization-related behavior described by a person using the Diabl0 handle: lowering Microsoft Internet Explorer security settings so pop-up advertisements would not be blocked, with those browser-setting changes potentially persisting after worm removal. Mytob infections were discussed in the context of financially motivated cybercrime, with infected systems used as zombie machines and monetized through advertising-related abuse. High-confidence associations in the content include links to the aliases/handles Diabl0 and 0x90-Team, relationships to Zotob and Zytob, and use by multiple criminal groups rather than a single exclusive operator.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Sophos researchers have determined that over 20 other viruses include the "Diabl0" handle, including numerous variants of the Mytob worm (a code cousin to Zotob) as well as a MyDoom variant, MyDoom-BG.
Sophos researchers have determined that over 20 other viruses include the "Diabl0" handle, including numerous variants of the Mytob worm (a code cousin to Zotob) as well as a MyDoom variant, MyDoom-BG.
7 distinct techniques documented for this family, organized by ATT&CK tactic.
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A worm with widely available source code that produced many variations. The content says one intention of Mytob was to lower Internet Explorer security settings so pop-up adverts would not be blocked, enabling monetization through ad installs or visits.
A worm family described as a code cousin to Zotob. It primarily spreads via email, and many variants create botnets from infected machines. The article suggests multiple authors had access to its source code and produced numerous variants.
A prior worm/bot family referenced as the ancestor of Zotob.
Referenced as a related worm family via shared IRC infrastructure and source-code access claims; no functional details provided beyond linkage context.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.