Technology, Support, and News Forum

[Mac33 Profile]

'Mydoom' Possibly The Fastest-Spreading Virus Ever

By Antone Gonsalves, TechWeb

9:56 AM EST Wed., Jan. 28, 2004
The first major virus of the year spread rapidly across the Internet for a second day on Tuesday, clogging e-mail systems and slowing Internet traffic with an avalanche of bogus messages that may make the virus the fastest spreading ever.

The virus, dubbed "Mydoom" and "Novarg" by security experts, started its march late Monday and appeared to be spreading even faster on Tuesday, infecting one out of every nine e-mails, antivirus software maker Central Command said.

Rival Network Associates Technology said the virus had surpassed last August's Sobig.F in the speed with which it traveled, and estimated the latest virus had infected between 100,000 and 300,000 computers.

"It's the fastest-spreading e-mail virus ever," said Craig Schmugar, virus research manager for Network Associates. "Sobig.F was out quite a while before it hit its peak numbers, whereas this virus right from the early stages of discovery reached very large volumes of e-mail."

Postini, which cleanses e-mail before it reaches the networks of corporate clients, said it was intercepting 330,000 infected e-mails an hour. As of Monday, the Redwood City, Calif.-based, company had quarantined more than 8 million messages.

By comparison, Postini intercepted 1,400 e-mails infected with Sobig.F on its first day, and 3.5 million the second, said Scott Petry, vice president of products and engineering at Postini.

The increased traffic from Mydoom hurt overall Internet performance, Keynote Systems said. The company said its tracking index showed that the Internet at noon Pacific time was 8 percent to 10 percent slower than normal for a Tuesday. Performance, however, was back to normal by 2:30 p.m.

The Mydoom attack appears aimed, in part, at setting up computers for a Feb. 1 attack against the web server of the SCO Group. The company has been the target of several attacks over the last 10 months, with the latest in December taking down the company's server for more than a day.

While not proven, SCO may have been targeted because of its legal challenge of the open-source operating system Linux, which the company claims contains its copyrighted code. SCO's lawsuits have angered the Linux community and its supporters. Conversely, Linux enthusiasts say the virus may have been assembled for the purpose of defaming Linux developers.

On Tuesday, SCO offered a $250,000 reward for the arrest and conviction of the Mydoom virus author.

"The perpetrator of this virus is attacking SCO, but hurting many others at the same time," Darl McBride, president and chief executive of SCO, said in a statement. "We do not know the origins or reasons for this attack, although we have our suspicions. This is criminal activity and it must be stopped."

SCO is working with the U.S. Secret Service and Federal Bureau of Investigation in investigating the virus.

While security companies rated Mydoom near, or at, the top of their rankings in severity, some disagreed as to the speed with which the virus was spreading.

Based on customer submissions of virus-infected e-mails, Symantec, which ranked Mydoom a level 4, with 5 being the highest rating, placed the virus on par with BugBear, a mass-mailing worm that struck in 2002, but did not proliferate as fast as Sobig.F. As of mid-afternoon Tuesday, Symantec was receiving about 150 submissions of Mydoom-infected e-mails an hour, with about 9 percent from corporate customers.

"It hasn't tapered off, which is rather unusual," said Alfred Huger, senior director of engineering at Symantec. "That means this virus hasn't reached saturation, yet."

The virus, however, was expected to taper off over the next 24 hours, Huger said.

"Mydoom" arrives in a zip file carried in an e-mail with the subject lines "test," "mail delivery system," or "mail transaction failed." The body of the e-mail tries to trick the receiver into thinking that the actual message is in the attachment. The message contains such statements as "The message contain Unicode characters and has been sent as a binary attachment."

Once opened, the worm installs a program in the infected PC and opens a "backdoor" that enables a hacker to take control of the computer, apparently in preparation to flood the SCO server with information Feb. 1, security experts said. The kill date for the worm is Feb. 12.

The virus, which affects computers running Windows 95, 98, ME, NT, 2000 and XP, scours the infected computer's hard drive for e-mail addresses to send copies of itself. Mydoom also copies itself to the download directory on PCs for the file-sharing service Kazaa.

Symantec's Huger said the company had received unsubstantiated reports that spammers were already using infected machines to send spam. Technologically savvy spammers can sometimes piggyback on the malevolent code sent by others.

Several companies reported battling the virus, but did not suffer any severe damages. The Boeing Co. in Chicago told the Wall Street Journal Online that the virus clogged its system to the point where employees were unable to use e-mail Monday afternoon. The online news service also said Xerox, Cisco Systems and Lehman Brothers Holdings had fended off attacks.

CRN Breaking News

[MinusDriver Profile Website]

9:00 AM EST Wed., Jan. 29, 2004

MyDoom worm spreads as attack countdown begins

LONDON, England (Reuters) -- Security experts warned on Thursday the fast-spreading MyDoom virus would plague e-mail users for some time as it counts down to a mammoth digital attack next week on Microsoft and software firm SCO Group Inc.

For a fourth consecutive day, Internet service providers and corporations were bogged down by a crush of infected e-mails.

Security experts said as many as one in three e-mails in circulation was triggered by MyDoom.A, making it the fastest spreading Internet contagion ever.

"We are seeing companies struggling with this as they cannot clear the viruses quickly enough," said Graham Cluley, technology consultant for anti-virus and anti-spam firm Sophos Plc. "This one will be with us for a while."

Meanwhile, sleep-deprived security experts said they were largely powerless to stop the virus's coordinated digital attacks, timed to hit Web sites for SCO on Sunday and Microsoft on Tuesday, security officials said.

"It's very difficult for anti-virus firms to react in these scenarios. We're always going to be on the back foot," said Paul Wood, chief information analyst for British-based e-mail security firm MessageLabs.

Machines turned into zombies
Since appearing this week, the MyDoom.A worm, also dubbed Novarg or Shimgapi, has infected computers across the globe by enticing users to open a file attachment that releases a program capable of taking over a victim's computer.

Once hit, the program scours the Web for more computers to infect. MyDoom.A is programmed to send spam e-mails to spread the infection further and marshal an army of infected machines to knock SCO's Web site offline on Sunday.

On Wednesday, a second variant dubbed MyDoom.B, appeared. It spread less quickly, but carried a program timed to unleash attacks on SCO and Microsoft. Also, it prevented access to anti-virus sites where patches for the bug are available.

Computer security companies continued to warn people not to open any suspicious attachments in e-mail messages.

Since the worms often appear as error messages from "Mail Administrators" and other official-looking addresses, many people inevitably open the attachment after finding minimal information in the message.

Computers running any of the latest versions of Microsoft's Windows operating system are at risk of being infected, although the worm doesn't exploit any flaws in Windows or software.

Instead, MyDoom is designed to entice the recipient of an e-mail to open an attachment with an .exe, .scr, .zip or .pif extension.

In the firing line
The financial damage from the outbreak -- from network slowdown to lost productivity -- is difficult to measure, but is assumed to be billions of dollars, according to experts.

For the ordinary computer user, MyDoom's toll will be measured in bounced e-mails and an inability at times to enter your inbox as ISPs seek to filter out bogus traffic.

For Microsoft and SCO, their Web sites are once again in the firing line.

SCO, a small Utah-based software maker suing International Business Machines Corp. over the use of code for the Linux operating system, has been the target of denial-of-service attacks in the past by apparent pro-Linux protesters.

Last year, Microsoft's site for software upgrades was permanently moved to a new Web address to avert a similar onslaught triggered by the Blaster worm.

SCO this week issued a $250,000 bounty for information leading to the arrests of the authors of MyDoom. In November, Microsoft offered two $250,000 rewards for tips leading to the arrest of the Blaster and SoBig virus writers.

Some security experts theorized that the MyDoom variants were written by the same individual or group, but had no solid clues on their whereabouts.

http://www.cnn.com/2004/TECH/internet/0 ... index.html

[kanaloa]

Yeah it was just on the news apparantly bc my family was asking about it.

They were insisting it was impossible to block... I just smiled, lol.

[kanaloa]

You know how all the Admins just got mail bombed?

I bet this had something to do with it...

[MinusDriver Profile Website]

Yeah it was just on the news apparantly bc my family was asking about it.

They were insisting it was impossible to block... I just smiled, lol.

I know that feeling

The virus send emails to all the admin list? I hope you all have up todate Virus Protect

[RRCinci Profile]

I got called out this morning for a MyDoom.A infection...Symantec's fix program works very well. Just remeber to turn OFF the System Restore before you run it...it's like the MSBlaster and Welchia fix from them that took forever to run...it examines EVERY file on the hard drive...even those that can't possibly be infected...just to make sure it doesn't miss anything!! So run it...but be ready with a good book!

Paul