NHS hospitals contract Mytob virus

Worm wriggles into IT systems and does a bit of networking

The Mytob worm caused havoc at three major London hospitals

The Mytob computer worm infected three major London hospitals yesterday, forcing them to shut down IT systems for at least 24 hours, and causing ambulances to divert to unaffected hospitals to avoid the 'manual systems' being used in the affected units.

A statement on the Barts and The London NHS Trust web site said that the internal incident arose from a computer virus which "overloaded its network".

"This has been a difficult day," said Julian Nettel, chief executive of the Barts and The London NHS Trust. "But by using back-up systems, manual procedures and working flexibly, we have continued to provide high quality care to our patients."

The London Chest Hospital, the Royal London Hospital and St Bartholomew's had to implement emergency procedures after the infection.

Andrew Clarke, international senior vice president at Lumension Security, said: "Much attention has been focused recently on data protection and controlling and managing removable devices such as USB sticks. However, the integrity of operations is still important and should not be overlooked."

The problem for the hospitals is that Mytob spreads to other systems using shared folders accessible over networked IT systems. The fact that the NHS Trust statement admits to an "overloaded network" shows that the virus was spreading to any system on that network.

So if sites remote to the initial infection were sharing folders, the virus could potentially spread to systems on the other side of the world, as well as those connected locally.

Mytob was first seen in March 2005 and, worryingly for the NHS, is not an unseen virus, normally called a zero-day threat. Mytob replicates by exploiting the so-called Local Security Authority Subsystem Service vulnerability, initially patched by Microsoft in 2004.

Mytob also opens certain ports, lowers security settings on affected systems and blocks security websites. It can prevent the Windows task manager from opening, stopping IT admins from checking and terminating the viral processes.