From Symantec:
Novarg/MyDoom Worm Spreads Quickly, Targets SCO
JAN 27, 2004 ARTICLE ID: 3277
CUPERTINO, Calif. -- A fast-moving Windows worm known as MyDoom or W32.Novarg.A@mm continued to spread rapidly Tuesday afternoon, having already prompted Internet security expert Symantec to classify it as a Category 4 security threat.
Novarg/MyDoom is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 thru 3198. This can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files.
The worm arrives in in-boxes with one of several different random subject lines, such as "Mail Delivery System," "Test" or "Mail Transaction Failed."
Numerous online news sites reported Tuesday that one in every 12 email messages contained the worm.
Symantec updated its virus definitions for Novarg/MyDoom on Monday. Click here for more information. Novarg/MyDoom was initially a Category 3 alert, but was upgraded to a Category 4 due to the high rate of submissions.
The worm, which appeared almost exactly one year after the outbreak of the destructive SQL Slammer, spreads faster than others like it because it uses a better social engineering technique, according to security experts. Symantec advises enterprise customers to block possible infected mails at the gateway by filtering attachments and subjects. Users are encouraged not to open unexpected attached files.
Symantec warned that the email sender's address can be spoofed, meaning the message could appear to be from a colleague, friend, or even the email system administrator.
"This is something you might see from a mail system, so you click on the attachment," Sharon Ruckman, senior director for Symantec Corp. Security Response, told the IDG News Service on Monday. “This one is almost begging you to click on the attachment.”
Only users of computers running Microsoft Corp.'s Windows are at risk, according to Symantec.
When the attached file is executed, the worm scans the system for email addresses and starts forwarding itself to those addresses. If the victim has a copy of the Kazaa file-sharing application installed, it will also drop several files in the shared files folder in an attempt to spread that way.
Symantec also identified more malicious acts, according to IDG. The worm will install a "key logger" that can capture anything that is entered, including passwords and credit card numbers, Ruckman said.
SCO Web site targeted
In addition, the worm will start sending requests for data to
www.sco.com, the Web site of the SCO Group, which could result in the Web site going down if enough requests are sent, she said.
SCO, a Utah software company, has launched a widely publicized legal campaign against companies using the open-source Linux operating system. The company filed a $1 billion lawsuit against IBM last March, claiming the computer giant's Linux software violated its Unix patents. SCO's Web site has been the subject of previous Denial of Service (DoS) attacks.
It appears that Novarg/MyDoom will launch the DoS attack against SCO starting on February 1. It has a trigger date to stop spreading on February 12.
Much of the data in the new worm's code is encrypted, security experts said, making analysis of the worm much more difficult. Some users reported receiving as many as 100 copies of the worm in a 30-minute span on Monday afternoon, according to eWEEK.com.