A new virus called Mydoom - Dallas-Mavs.com Forums

Smiles · 01-27-2004, 02:02 PM

Anyone have any info on this virus? It's been attacking us since yesterday afternoon- so far our application has been able to block it....

What's the story?

Chiwas · 01-27-2004, 03:06 PM

From Symantec:

Novarg/MyDoom Worm Spreads Quickly, Targets SCO
JAN 27, 2004 ARTICLE ID: 3277

CUPERTINO, Calif. -- A fast-moving Windows worm known as MyDoom or W32.Novarg.A@mm continued to spread rapidly Tuesday afternoon, having already prompted Internet security expert Symantec to classify it as a Category 4 security threat.

Novarg/MyDoom is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files.

The worm arrives in in-boxes with one of several different random subject lines, such as "Mail Delivery System," "Test" or "Mail Transaction Failed."

Numerous online news sites reported Tuesday that one in every 12 email messages contained the worm.

Symantec updated its virus definitions for Novarg/MyDoom on Monday. Click here for more information. Novarg/MyDoom was initially a Category 3 alert, but was upgraded to a Category 4 due to the high rate of submissions.

The worm, which appeared almost exactly one year after the outbreak of the destructive SQL Slammer, spreads faster than others like it because it uses a better social engineering technique, according to security experts. Symantec advises enterprise customers to block possible infected mails at the gateway by filtering attachments and subjects. Users are encouraged not to open unexpected attached files.

Symantec warned that the email sender's address can be spoofed, meaning the message could appear to be from a colleague, friend, or even the email system administrator.

"This is something you might see from a mail system, so you click on the attachment," Sharon Ruckman, senior director for Symantec Corp. Security Response, told the IDG News Service on Monday. “This one is almost begging you to click on the attachment.”

Only users of computers running Microsoft Corp.'s Windows are at risk, according to Symantec.

When the attached file is executed, the worm scans the system for email addresses and starts forwarding itself to those addresses. If the victim has a copy of the Kazaa file-sharing application installed, it will also drop several files in the shared files folder in an attempt to spread that way.

Symantec also identified more malicious acts, according to IDG. The worm will install a "key logger" that can capture anything that is entered, including passwords and credit card numbers, Ruckman said.

SCO Web site targeted
In addition, the worm will start sending requests for data to www.sco.com, the Web site of the SCO Group, which could result in the Web site going down if enough requests are sent, she said.

SCO, a Utah software company, has launched a widely publicized legal campaign against companies using the open-source Linux operating system. The company filed a $1 billion lawsuit against IBM last March, claiming the computer giant's Linux software violated its Unix patents. SCO's Web site has been the subject of previous Denial of Service (DoS) attacks.

It appears that Novarg/MyDoom will launch the DoS attack against SCO starting on February 1. It has a trigger date to stop spreading on February 12.

Much of the data in the new worm's code is encrypted, security experts said, making analysis of the worm much more difficult. Some users reported receiving as many as 100 copies of the worm in a 30-minute span on Monday afternoon, according to eWEEK.com.

Chiwas · 01-27-2004, 03:20 PM

New virus infects PCs, whacks SCO
Last modified: January 26, 2004, 5:58 PM PST
By Robert Lemos
Staff Writer, CNET News.com

update A mass-mailing virus that quickly spread through the Internet on Monday planted a file that will instruct infected computers to attack the SCO Group's Web server with a flood of data on Feb. 1.

The virus--known as MyDoom, Novarg and as a variant of the Mimail virus by different antivirus companies--arrives in an in-box with one of several different random subject lines, such as "Mail Delivery System," "Test" or "Mail Transaction Failed." The body of the e-mail contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment."

"It's huge," said Vincent Gullotto, vice president of security software maker Network Associates' antivirus emergency response team. "We have it as a high-risk outbreak."

In one hour, Network Associates itself received 19,500 e-mails bearing the virus from 3,400 unique Internet addresses, Gullotto said. One large telecommunications company has already shut down its e-mail gateway to stop the virus.

Once the virus infects a Windows-running PC, it installs a program that allows the computer to be controlled remotely. The program primes the PC to send data to the SCO Group's Web server, starting Feb. 1, a virus researcher said on the condition of anonymity.

The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.

The company's Web site was slow to load on Monday afternoon, a SCO spokesperson acknowledged, but the site was still accessible from the World Wide Web.

SCO's Web site was taken offline by denial-of-service attacks a handful of times in the last year, none of which had been initiated by a virus. In the past, the company has blamed Linux sympathizers for at least one of the attacks.

Antivirus companies were scrambling on Monday afternoon to learn more about the virus, which started spreading at about noon PST. The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP.

"A lot of the information is encrypted, so we have to decrypt it," said Sharon Ruckman, a senior director of antivirus software maker Symantec's security response center. Symantec has had about 40 reports of the virus in the first hour, a high rate of submission, Ruckman said.

The virus installs a Windows program that opens up a "back door" in the system, allowing an attacker to upload additional programs onto the compromised device. The back door also enables an intruder to route his connection through the infected computer to hide the source of an attack.

The virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages itself, using one of seven file names, including Winamp5, RootkitXP, Officecrack and Nuke2004. Variations in the body text include: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

Early data indicated an epidemic several times the size of the Sobig.F virus, which caused widespread infections last summer, said Scott Petry, a vice president of engineering at e-mail service provider Postini.

"At its current run rate, we will trap almost 8 million in a day," Petry said. The company quarantined only 1,400 copies of Sobig.F in its first day and 3.5 million copies of the virus during that epidemic's peak 24-hour period.

Mail systems that remove executable files from e-mails can stop the program from spreading.