Mytob virus spreads in hospitals

There is something ironic about three hospitals in London being severely hit by a virus which has nothing to do with the human immune system.

There is something ironic about three hospitals in London being severely hit by a virus which has nothing to do with the human immune system.


And yet the Mytob virus, which has brought down networks and systems at  Barts and The London NHS Trust, has everything to do with patients.

The virus, with the official name of   W32/[email protected], plants a Trojan horse which could put confidential personal data at risk, said  Graham Cluley, a senior technology consultant at IT security supplier Sophos.

Hackers could exploit the virus to gain control over infected networks and computers, and potentially access confidential information on patients without the knowledge of the trust's security and IT specialists.

The  virus was first detected at Barts and The London on Monday 17 November in what Barts described as a "major incident". By Thursday some parts of the network were still down. Ambulances were diverted to neighbouring hospitals and doctors reverted to using paper records and making requests for x-rays on paper. The incident has caused backlogs of work and delays in care and treatment.

And once the systems have been disinfected, staff will need to key in information from paper to update the electronic records. The hospital declined to comment on the backlogs of work, the effects of the virus on patients or on the running of the hospitals. And it is unknown how much it will cost to cleanse IT equipment.

"There are two real pains here," said Cluley, "One is that doctors and nurses will not be able to access electronic patient records which could interrupt treatment. Also hackers could potentially be able to access confidential records. When the hospital took down networks that was a very sensible thing to do - hackers would not be able to access records." This could explain why the networks were down for days.

Barts said it is disinfecting desktop systems one by one.

"If they have just one computer still infected, even if they have cleaned up 99% of the other computers, that one computer could re-infect the rest of the network. It is like a biological virus. One individual with a virus could give it everyone else," said Cluley.

Barts is an "early adopter" of LC0, a London-specific version of Cerner Millennium Care Records Service which has been installed by BT as part of the NHS's £12.7bn National Programme for IT. Barts' networks and systems have to be of a high standard to connect to the Care Records Service.

Experts say the three most likely causes of the attack are that anti-virus software was not installed on one or more devices on the network, anti-virus software failed to detect all of the hundreds versions of Mytob, or not all systems were running the latest version of anti-virus software. It was perhaps unfortunate for IT security staff at Barts that anti-virus software suppliers have categorised Mytob as a "low-risk" for corporate users.

For hospital IT staff the threat of viral attack - and the possible loss of confidential patient data - is increasing, in part because of centralisation and regionalisation of IT. The National Programme for IT is intended to replace fragmented networks and systems with central databases and large, complex networks. Yet fragmented systems, if infected, have caused only isolated or localised disruption.

Labyrinthine networks that allow patient data to be widely shared could make the difference between life and death. But viruses are such powerful opponents to central databases, and large complex networks, that they may never be wholly beaten or overcome.

What is Mytob?

Anti-virus software suppliers McAfee and Symantec describe the risk of infection by Mytob as "low". Symantec describes it as a "mass-mailing worm that uses it own SMTP engine to send an email to addresses that it gathers from the Windows Address Book on the compromised computer". The worm also has the ability to "open a back door and spread through the network by exploiting vulnerabilities".

It may send repeated network messages to trace other computers to infect, which will generate masses of irrelevant network traffic, bringing systems to their knees. A Barts spokesman has conceded that its networks have been overloaded with viral messages. The virus may also send information to hackers about the configuration of each infected computer and what data is accessible.

The presence of the virus poses a risk that hackers could control the network and devices on it, and possibly access confidential patient information.


Computer Weekly asked McAfee why it (and other suppliers) had categorised Mytob as low risk when it had caused a major incident at three London hospitals. A McAfee spokeswoman said,"McAfee classes threats based onthe speed of attack, the damage caused and its prevalence.  A rating as 'low' is not to say that a threat is not damaging but ratings are comparative and based on all criteria. 

"When rating the generic variation of this particular threat, the fact that it does not damage the hard drive or delete files, as some other threats have been seen to do, is taken into account. With updated anti-virus protection in place, organisations should not find themselves impacted."

Whitelisting - a solution for viruses?

Is it possible for IT security staff to block all viruses when anti-virus software suppliers are faced with understanding and tackling 20,000 new pieces of malicious code every day, one piece every four seconds?

Some suggest whitelisting -allowing on the network only approved applications and devices. But even then approved systems could be hit by viruses. Experts say that organisations need to block from the network any devices that are not running the latest version of anti-virus software, and that software must defend against all known threats.

Read more on Antivirus, firewall and IDS products