View Full Version : Mydoom Sets Speed Records


Andrew
01-27-04, 03:46 PM
Paul Roberts, IDG News Service

Mydoom, a new computer virus spreading by e-mail, is breaking records for new infections, antivirus vendors and security companies say.

Infected e-mail messages carrying the Mydoom virus, also known as "Shimgapi" and "Novarg," have been intercepted from over 142 countries and now account for one in every 12 e-mail messages, according to Mark Sunner, chief technology officer at e-mail security company MessageLabs.

That surpasses the Sobig.F virus record, which appeared last August and, at its peak, was found in one of every 17 messages intercepted by MessageLabs, he says.

Since first detecting the new virus at 1:00 PM GMT on Monday, MessageLabs intercepted almost 1 million infected e-mail messages carrying the virus, Sunner says.

The virus has "followed the sun," hitting hard in the U.S. and Canada late on Monday, then working its way through Asia and Europe on Tuesday, he says.

F-Secure of Helsinki estimates that around 100,000 computers have been infected with Mydoom so far, says Mikko Hypponen, manager of antivirus research at F-Secure.

Antivirus experts expect another large wave of infections in the U.S. and Canada on Tuesday morning, as workers who missed the virus late Monday return to their desks, he says.

The worm arrives as a file attachment in an e-mail with a variety of senders and subjects, such as "Hello," and "test." The message body is often technical sounding, imitating the look and feel of an automatically generated message from an e-mail server, Sunner says.

For example, some e-mail messages telling recipients that "the message contains unicode characters and has been sent as a binary attachment," or "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

Users who click on the attachment, which uses a variety of file extensions such as ZIP, SCR, EXE, and PIF, are infected with the virus.

The technical pitch is a new twist on so-called "social engineering" techniques used by virus writers to trick users into opening malicious file attachments. Mydoom's authors may have been counting on the fact that people trust the authenticity of computer generated messages more than those purporting to come from other humans, Sunner says.

Mimicking the language of a computer-generated administrative message may have also helped Mydoom spread within large corporations, where employees are used to receiving such messages from administrative systems, according to David Perry, public education director at antivirus company Trend Micro.

Trend Micro saw evidence on Monday of infections from 12 of the Fortune 100 companies, he says.

Once inside such companies, Mydoom could use the enormous bandwidth of those corporate networks and huge e-mail address books as a "springboard" to the rest of the Internet, Perry says.

While Mydoom has shattered Sobig.F records, in many ways the two viruses are the same, antivirus experts agree.

Both viruses scan infected computers for e-mail addresses that are then targeted by infected e-mail. Also, both Sobig.F and Mydoom are small and contain highly efficient SMTP engines for sending out copies of themselves. The efficiency of their mail engines means that even a small number of infections can generate a massive amount of e-mail traffic, Hypponen says.

Finally, both Sobig.F and Mydoom contain a Trojan horse program that gives remote attackers full control of the infected system, he says.

In the case of Sobig.F, experts theorized that the virus was being used to assemble "zombie" networks of machines for distributing spam e-mail. A similar motive may be behind Mydoom, though the virus writer's intentions are not yet clear, says Perry.

Andrew
01-28-04, 12:09 AM
Secure Florida has received the following HOT alert from TruSecure:

TruSecure ALERT -- TSA 04-001 - Win32.Mydoom @ MM

Systems Affected:
Affected systems are Windows 95, 98, NT, 2000, ME and XP.

This virus does not affect earlier versions of the Windows operating systems, DOS, Mac OS or any Unix/Linux based OS.

Aliases:
MyDoom is also called MiMail.R or Novarg.A by some Anti-Virus vendors.

Executive Summary:
MyDoom is a worm that spreads via e-mail and arrives as a zip or executable file that appears to be a text file.

The worm arrives in an e-mail with a spoofed "From" field, and random "Subject" and "Body" lines. The file name of the attachment varies, as does the extension. The possible file extensions that the worm may use are .exe, .pif, .cmd and .scr. MyDoom uses an icon for this file that makes it look like a text file.

Actions:
1. TruSecure recommends updating your anti-virus signatures. Many vendors have updated their definitions.
2. Do not double-click on any .zip or .txt attachments you are unfamiliar with.

Andrew
01-28-04, 12:19 AM
If you suspect your computer has been infected by this mass-mailing worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

Gil
02-26-04, 08:48 PM
Big, when is the last time anyone wrote a virus for windows 3.1 or lower? Let alone DOS? Most computer users don't even know of windows versions that are not rated by years.... lol. Have you heard of the "stoned virus" and it's effect on 32 bit opearting systems? It used to be a simple virus for DOS, but now it's doing major damage since the files it would try to call for are no longer there. I'm sure you can find more about this from a search engine, but it's mildly entertaining. I was infected with this virus on my first computer, yes, even I had a first computer. I even have a few disks with the virus still intact. I call those "collector's items" LOL

MRB
03-03-04, 05:17 PM
I had this detailed post about dealing w/MyDoom and then I went to another open window on my desktop (serves me right) and the forum bopped me out.

The abbreviated version: If you have a Dell system w/McAfee AntiVirus, go to the McAfee site and get "Stinger" to get that mother off your system. Anyone who wants details, PM me and let me know.

MRB
03-03-04, 05:19 PM
Hey, BIG -

How come at the bottom of the "poster" stats it shows one's status as "offline" when one is clearly online posting?

Gil
03-03-04, 05:34 PM
MRB, though I'm not Big, I can answer this question. There are settings to make one appear offline when online, it's a privacy issue. It also keeps from being PM'd when PM's are unwanted.

Andrew
03-03-04, 06:01 PM
You can go into your User Control Panel, and set your preferences to appear offline, when you're online.

Also, some of us really DO pop in and out of the forums during the day.