E-mail worm spreading fast


Associated Press
January 27, 2004


SAN JOSE, Calif. -- A malicious program attached to seemingly innocuous e-mails was spreading quickly over the Internet on Monday, clogging network traffic and potentially leaving hackers an open door to infected personal computers.

The worm, called "Mydoom" or "Novarg" by antivirus companies, usually appears to be an e-mail error message. A small file is attached that, when launched on computers running Microsoft Corp.'s Windows operating systems, can send out 100 infected e-mail messages in 30 seconds to e-mail addresses stored in the computer's address book and other documents.

The attack was first noticed Monday afternoon. Within hours, thousands of e-mails were clogging networks, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.

Besides sending out e-mail, the program appears to open up a backdoor so that hackers can take over the computer later.

"As far as I can tell right now, it's pretty much everywhere on the planet," Gullotto said.

Security software experts were scrambling to decrypt the details of the malicious program and were arriving at different conclusions.

Symantec, an antivirus company, said the worm appeared to contain a program that logs keystrokes on infected machines. It could collect username and passwords of unsuspecting users and distribute them to strangers.

Network Associates did not find the keylogging program.

The worm also appears to deposit its payload into folders open to users of the Kazaa file-sharing network. Remote users who download those files and run them could be infected.

Symantec also found code that would flood The SCO Group Inc.'s Web site with requests in an attempt to crash its server, starting Feb. 1. SCO's site has been targeted in other recent attacks because of its threats to sue users of the Linux operating system in an intellectual property dispute. An SCO spokesman did not return a telephone call for comment Monday.

Overall, the computer security firm Central Command confirmed 3,800 infections within 45 minutes of initial discovery.

"This has all the characteristics of being the next big one," said Steven Sundermeier, Central Command's vice president of products and services.

It appeared to first target large companies in the United States -- and their large address books -- but quickly spread internationally, said David Perry, global director of education at the antivirus software firm Trend Micro.

Unlike other mass-mailing worms, Mydoom does not attempt to trick victims by promising nude pictures of celebrities or mimicking personal notes. Instead, one of its messages reads: "The message contains Unicode characters and has been sent as a binary attachment."

"Because that sounds like a technical thing, people may be more apt to think it's legitimate and click on it," said Steve Trilling, Symantec's senior director of research.

Subject lines also vary. The attachments have ".exe," ".scr," ".cmd" or ".pif" extensions, and may be compressed as a Zip file.

Microsoft offers a patch of its Outlook e-mail software to warn users before they open such attachments or prevent them from opening them altogether. Antivirus software also stops infection.

Christopher Budd, a security program manager with Microsoft, said the worm does not appear to take advantage of any Microsoft product vulnerability.

"This is entirely a case of what we would call social engineering -- enticing users to take actions that are not in their best interest," he said.

He said the software giant was working with other companies to learn more about the worm, but that, as of yet, the information about the worm was still "very spotty." The Redmond, Wash.-based company was encouraging users to take precautions such as using an Internet firewall and using up-to-date antivirus software.

Mydoom isn't the first mass-mailing virus of the year. Earlier this month, a worm called "Bagle" infected computers but seemed to die out quickly. So far, it's too early to say whether Mydoom will continue to be a problem or peter out, experts said.

yupp, got it today on one of my "dead" accounts.

looked at it just for fun, not bad for a bored 12 year old from Racine WI. (i'm just guessing here, of course) ...

as always, don't open attachments from people you don't know.
Andy

I just got notice that Norton has already updated their virus definitions for this worm, so run live update today and you're covered.

i know, i know, but in order to examine the virus, i had to trick norton into believing it's just a harmless attachment.

Andy

I received 3 emails with it at the office yesterday. So did a few of the staff. Nothing opened and no damage done.

So I have a question about these worms and viruses. If your e-mail is through say hotmail can it effect your computer? I don't use any of my e-mail programs on my computer and I don't think I ever will. Of course I don't open any attachments unless I know who it's from and if the person that sent it to me tells me it's there, and I know the file type. I've never gotten a worm/virus (knock on wood) and I only just got a firewall/virus program last August because I was getting DSL connected to my comp. Just wondering.

depends on the virus and how it's programmed.

this particular one uses your outlook addressbook to spread itself to everybody in there.
others just install a "backdoor" for someone else to hijack your computer (and use it either for free storage or spam-relay)
others just get off on deleting your harddrive.

i would NOT recommend to rely on your email host (like hotmail) or your provider (whereever you get your DSL from) or a DSL-Router built in Virus Scanner.

get some real anti-virus software and install it on your box. (and update it at least once a week!).

also, a firewall DOES NOT protect you from viruses, it protects you from external attacks. problem is, once you got infected with some sort of trojan "backdoor", your firewall is useless cause the virus will initiate the connection from within.

as a golden rule:
NEVER open attachments you don't expect, even if they come from trusted sources!

Andy

Most whole-heartedly

I couldn't have said it any better.

Well i don't have any info in my outlook and I have antivirus software that is up to date. So can I conclude that I am safe? I know i'm not immune I'm sure.

yupp, you might.
altough i thought i heard that it also installs a backdoor for remote access ...

dunno, do a search on symantecs web-site.
Andy

Friends don't let friends use outlook! At home anyway.

We got a whole ton of these today.

Be sure to update your virus patterns regularly folks! Trend Micro's automatic update works really well on our network, but it still takes some diligence to check things out periodically and make sure each machine is set up correctly.

"Real time" POP3 mail scanners are very helpful too. We have a few machines running Mozilla mail and the pop scanner works just as well as on Outlook.

Speaking of Outlook -- the "full" Outlook XP (2002) or 2003 versions seem quite solid to me. It is Outlook Express that is, or at least used to be, pretty scary...and it's on just about every Windows machine in the world by default.

We started getting it late yesterday. The Symantec Anti virus caught it at the mail server - only a few got through. We check for updates to definitions every 6 hours. Might bump it to 3...