New, fast-spreading worm spells Doom

  • Joris Evers (IDG News Service)
  • 27 January, 2004 12:43

A new email worm is spreading rapidly on the Internet, clogging email servers and staging an attack on the website of Unix vendor, The SCO Group, antivirus software vendors said.

The worm surfaced on Monday and has been given several names by antivirus software vendors, including Mydoom, Novarg and Mimail.R. Experts didn't all agree on the worm's payload, but they did agree that it was spreading faster than Sobig-F, the worm that topped the charts for the most widespread email worm last year.

"It has been moving very quickly for the past three hours and has been generating a hell of a lot of e-mail," vice-president of the Anti-Virus Emergency Response Team at Network Associates, Vincent Gullotto, said.

Some businesses had shut down their email gateways to block the worm, he said.

This worm has taken off like a rocket, with more than 20,000 interceptions within just two hours of it being discovered, according to Ken Durham, director of malicious code at Internet security company iDefense.

The worm arrives as an email with an attachment that can have various names and extensions, including .exe, .scr, .zip or .pif. The email can have a variety of subject lines and body texts, but in many cases it would appear to be an error report stating that the message body couldn't be displayed and had instead been attached in a file, experts said.

"This is something you might see from a mail system, so you click on the attachment," senior director for Symantec Security Response, Sharon Ruckman, said.

Both Network Associates and Symantec agree that when the attached file is executed, the worm scans the system for email addresses and starts forwarding itself to those addresses. If the victim has a copy of the Kazaa file-sharing application installed, it will also drop several files in the shared files folder in an attempt to spread that way.

Symantec also identified more malicious acts.

The worm would install a "key logger" that could capture anything that was entered, including passwords and credit card numbers, Ruckman said. Furthermore, the worm would start sending requests for data to, the website of The SCO Group, which could result in the website going down if enough requests were sent, she said.

SCO had noticed that its website performance had intermittently slowed, but it was too early to say if there was an attack on the site, SCO spokesman, Blake Stowell, said.

"It may be showing the early stages of a DOS attack," he said.

SCO has enraged the open source community by claiming that the Linux operating system contains software that violates SCO's intellectual property, and has been the subject of various attacks on its website.

Antivirus software vendors urge users to update their antivirus software and be careful when opening email attachments.

"If you're not expecting an email, don't open it," Symantec's Ruckman said.

Network Associates' Gullotto expects the worm to keep causing headaches for a while.

"It will be a couple of days before we're going to get to the point that it won't have any impact," he said. "It has a full head of steam, there are hundreds of thousands of emails and we may see well into the millions [of emails], and possibly hundreds of thousands of machines infected."