Individual Post Archive
« Online Music Industry Is Focusing on Europe | Main | Amazon's Profit Grows on Holiday Sales »

January 27, 2004

Mydoom spreading as fast as Sobig

BBC NEWS | Technology | Mydoom spreading as fast as Sobig

A malicious computer virus spread via e-mail is clogging networks and may allow unauthorised access to personal computers, experts have warned.
The worm, Mydoom or Novarg, is carried as an e-mail attachment in a text file and sends itself out to other e-mail addresses once opened by the recipient.

The virus may also open a "back door" to the computer to give hackers access.

It is also spread through file-sharing networks and experts think it could be worse than last summer's Sobig worm.


Thousands of e-mails triggered by the worm, which only affects computers using Microsoft Windows, were bombarding networks within hours of its discovery on Monday.

E-mail security firm MessageLabs said it had stopped over 580,000 copies of the worm in the last 24 hours, and Symantec have had more than 150 reports an hour from companies and individuals who have received it.

Website attack?

The mass-mailing worm is very similar to other types, such as 2003's Bugbear and Sobig, and relies on e-mail to get from place to place, Symantec's Kevin Hogan explained to BBC News Online.

"It is very much in line with Bugbear or Sobig. We are seeing almost exactly the same number of reports of the virus, which means it has the same rate of spread.

"It is a very simple example. It simply relies on a human to double click on an attachment to run it."

MYDOOM DETAILS
From: random e-mail address
To: address of the recipient
Subject: random words
Message body: several different mail error messages, such as: Mail transaction failed. Partial message is available
Attachment (with a textfile icon): random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension
When a user clicks on the attachment, the worm will start Notepad, filled with random characters

If the attachment is opened, it will do two things, Mr Hogan said. It deposits a back door, or a piece of software that listens to commands sent remotely over the net and acts on them.

"But it also seems it will attempt to perform a denial of service attack on SCO from 1 February to the 12th," said Mr Hogan.

SCO is one of the largest Unix open-source vendors in the world. It has been in the news recently because it has claimed that key parts of the open-source operating system, Linux, are under SCO's copyright.

Last year's Blaster worm attempted a similar attack on Microsoft's website, which was stopped.

No porn promise

Unlike many of its predecessors, Mydoom does not entice the recipient to open the attachment by promising nude pictures or personal messages.

Instead, the e-mail carrying the virus often bears the subject "Test" or "Status". The message inside may read: "The message contains Unicode characters and has been sent as a binary attachment".

Many of the e-mails have look like they have been sent from organisations like charities or educational institutions, in an attempt to fool the recipient into opening the e-mail.

PROTECT YOURSELF FROM VIRUSES
Install an anti-virus program.
Keep it up to date
Get the latest patches and updates for your operating system
Never automatically open e-mail attachments
Download or purchase software from trusted, reputable sources
Make backups of important files

This happens when the virus sends itself out to all other addresses on an infected machine, "spoofing" the sender's e-mail address as it does so.

"Mydoom can pose as a technical-sounding message, claiming that the e-mail body has been put in an attached file," said Graham Cluley from security firm Sophos.

"Of course, if you launch that file you are potentially putting your data and computer straight into the hands of hackers."

Users are advised to delete or ignore the e-mail attachment - which usually ends .exe, .scr, .zip, .cmd or .pif - to avoid damage.

Symantec have advised anyone who has received the worm to avoid opening or double clicking the attachment.

Users should also ensure their anti-virus software is up-to-date, so that if the attachment is opened by accident, the software will catch it.

If anti-virus software does not spot an infection once the attachment is launched, users should download the free tools available to deal with it.

The security firm added if users start getting unusual pop-up messages from their desktop firewall, the chances are the computer has been infected.

The top two viruses of 2003, Sobig-F and Blaster-A, accounted for more than one-third of all the malicious programs seen during 2003.

January 27, 2004 at 10:21 AM in Virus | Permalink | Top of page | Blog Home