Mail servers across the globe are choking after the Mydoom mass-mailing email virus emerged last week, spreading at unprecedented speed.
The havoc caused by Mydoom was further compounded by the release of a more threatening variant, known as Mydoom.B, last Wednesday.
Experts said the Mydoom worm (also known as Novarg) was spreading faster than last year’s Sobig.F, which topped the charts as the most widespread email worm of 2003.
The Mydoom virus was found in one in 10 email messages intercepted by Network Associates’ (NAI) Anti-Virus Emergency Response Team.
This surpassed the Sobig.F virus record, which at its peak, was found in one of every 17 messages intercepted by NAI.
Mydoom arrives as an email with an attachment that can have various names and extensions, including .exe, .scr, .zip or .pif. The email can have a variety of subject lines and body texts, but in many cases it would appear to be an error report stating that the message body couldn’t be displayed and had instead been attached in a file, experts said.
When the attached file is opened, the worm scans the system for email addresses and starts forwarding itself to those addresses. If the victim has a copy of the Kazaa file-sharing application installed, it will also drop several files in the shared files folder in an attempt to spread that way.
These social engineering techniques — used by virus writers to trick users opening malicious file attachments — are thought to have cultivated the speedy spread of the worm.
The virus mimics the language of a computer-generated administrative message, which many employees within large corporations are accustomed to receiving.
Mydoom’s authors may have been counting on the fact that people trust the authenticity of computer generated messages more than those purporting to come from other humans.
Network Associates classified the original Mydoom worm as a High-Outbreak threat.
The Mydoom worm was malicious in several ways, Network Associates’ senior marketing manager, Allan Bell, said.
“The way it is spreading means massive quantities of email traffic are generated, loading up inboxes, mail servers and gateways and preventing real traffic from getting through,” he said. ‘In addition, it spreads by trying to guess an address so even though the addresses are incorrect, the gateways still have to cope with the traffic.”
Sobig was more malicious in this respect because its attachment was three or four times larger than that of Mydoom, he said.
Mydoom will also copy itself to the system folder as taskmon.exe and listen to all TCP ports in the range 3127 to 3198, allowing hackers to potentially send additional files to be executed by the infected systems. The worm installs a “key logger” that could capture anything that was entered, including passwords and credit card numbers.
But the fun doesn’t stop there. The Mydoom worm will attempt to perform a denial-of-service attack on Unix vendor, the SCO Group, by sending requests for data to its website at a rate of three times per second.
The attack was scheduled to begin last Sunday and run through to February 12. It could result in the SCO website going down.
In response to the Mydoom attack, SCO has announced it is offering a reward of up to $US250,000 “for information leading to the arrest and conviction of the individual or individuals responsible for creating the Mydoom virus”.
Bell said antivirus vendors had been educating the public about blocking all .exe attachments at the gateway to prevent such prolific outbreaks but the advice continued to fall on deaf ears.
“We recommend as best practices that companies don’t allow email attachments that include .exe, .scr, .pif, .cmt to pass through the gateway, primarily because the business use of such files is almost zero and they are most commonly used as a virus,” he said. “If a company needs to send an .exe attachment, then they should zip it up, password protect it and then send it through.”
One of the problems with Mydoom is that it uses a .zip attachment and companies cannot block all .zip attachments at the gateway because it is commonly used by businesses.
A variant of the Mydoom worm, Mydoom.B, emerged last Wednesday.
The new spin-off was not significantly different from the first Mydoom, but it was larger and contained the following message buried in the worm’s code: “sync-1.01; andy; I’m just doing my job, nothing personal, sorry.”
Like the first Mydoom, the new version was scheduled to launch a DOS attack on the SCO website last Sunday. Microsoft is also a target.