Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Latest e-mail worm spreading fast
Associated Press via Sun Media ^ | January 27, 2004 | Matthew Fordahl

Posted on 01/27/2004 7:25:31 AM PST by Clive

SAN JOSE, Calif. (AP) -- A malicious program attached to seemingly innocuous e-mails is spreading quickly over the Internet, clogging network traffic and potentially leaving hackers an open door to infected personal computers.

The worm, called "Mydoom" or "Novarg" by antivirus companies, usually appears to be an e-mail error message. A small file is attached that, when launched on computers running Microsoft Corp.'s Windows operating systems, can send out 100 infected e-mail messages in 30 seconds to e-mail addresses stored in the computer's address book and other documents.

The attack was first noticed Monday afternoon. Within hours, thousands of e-mails were clogging networks, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.

Besides sending out e-mail, the program appears to open up a backdoor so that hackers can take over the computer later.

"As far as I can tell right now, it's pretty much everywhere on the planet," Gullotto said.

Security software experts were scrambling to decrypt the details of the malicious program and were arriving at different conclusions.

Symantec, an antivirus company, said the worm appeared to contain a program that logs keystrokes on infected machines. It could collect username and passwords of unsuspecting users and distribute them to strangers.

Network Associates did not find the keylogging program.

The worm also appears to deposit its payload into folders open to users of the Kazaa file-sharing network. Remote users who download those files and run them could be infected.

Symantec also found code that would flood The SCO Group Inc.'s Web site with requests in an attempt to crash its server, starting Feb. 1. SCO's site has been targeted in other recent attacks because of its threats to sue users of the Linux operating system in an intellectual property dispute. An SCO spokesman did not return a telephone call for comment Monday.

Overall, the computer security firm Central Command confirmed 3,800 infections within 45 minutes of initial discovery.

"This has all the characteristics of being the next big one," said Steven Sundermeier, Central Command's vice president of products and services.

It appeared to first target large companies in the United States -- and their large address books -- but quickly spread internationally, said David Perry, global director of education at the antivirus software firm Trend Micro.

Unlike other mass-mailing worms, Mydoom does not attempt to trick victims by promising nude pictures of celebrities or mimicking personal notes. Instead, one of its messages reads: "The message contains Unicode characters and has been sent as a binary attachment."

"Because that sounds like a technical thing, people may be more apt to think it's legitimate and click on it," said Steve Trilling, Symantec's senior director of research.

Subject lines also vary. The attachments have ".exe," ".scr," ".cmd" or ".pif" extensions, and may be compressed as a Zip file.

Microsoft offers a patch of its Outlook e-mail software to warn users before they open such attachments or prevent them from opening them altogether. Antivirus software also stops infection.

Christopher Budd, a security program manager with Microsoft, said the worm does not appear to take advantage of any Microsoft product vulnerability.

"This is entirely a case of what we would call social engineering -- enticing users to take actions that are not in their best interest," he said.

He said the software giant was working with other companies to learn more about the worm, but that, as of yet, the information about the worm was still "very spotty." The Redmond, Wash.-based company was encouraging users to take precautions such as using an Internet firewall and using up-to-date antivirus software.

Mydoom isn't the first mass-mailing virus of the year. Earlier this month, a worm called "Bagle" infected computers but seemed to die out quickly. So far, it's too early to say whether Mydoom will continue to be a problem or peter out, experts said.

"Over the next 24 to 48 hours, we'll have a much better sense," Trilling said. "Right now, the trend is only up."


TOPICS: Culture/Society
KEYWORDS: lowqualitycrap; microsoft; virus; windows; worm

1 posted on 01/27/2004 7:25:32 AM PST by Clive
[ Post Reply | Private Reply | View Replies]

To: Clive
I hope it's not in this thread.
2 posted on 01/27/2004 7:27:31 AM PST by Crowcreek
[ Post Reply | Private Reply | To 1 | View Replies]

To: Clive
"The worm also appears to deposit its payload into folders open to users of the Kazaa file-sharing network."

Again.

3 posted on 01/27/2004 7:32:02 AM PST by EggsAckley (..................**AMEND** the Fourteenth Amendment......(There, is THAT better?).................)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Clive
I got 5 or 6 of these e-mails this morning. I instantly delete and block any e-mail I get from an unrecognized source.
4 posted on 01/27/2004 7:33:04 AM PST by Pest (I will choose Free Will!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Crowcreek
I hope it's not in this thread.

Well it did log your keystrokes...

5 posted on 01/27/2004 7:34:28 AM PST by Always Right
[ Post Reply | Private Reply | To 2 | View Replies]

To: Clive
My company got 1200 in the last 12 hours.
6 posted on 01/27/2004 7:35:24 AM PST by CholeraJoe (I'm a Veteran. I live in Montana. I own assault weapons. I vote. Any questions?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Clive
Lavasoft information
7 posted on 01/27/2004 7:36:54 AM PST by Crowcreek
[ Post Reply | Private Reply | To 1 | View Replies]

To: CholeraJoe
Yeah, our network guy says this is a biggie. He's blocked all known variants of it, but there was one which came in named file.zip (which wasn't on the list)

People will open anything, but our program defangs email attachements so they cannot be opened without saving and renaming, where they are then scanned for viruses.
8 posted on 01/27/2004 7:40:23 AM PST by eyespysomething (Another American optimist!)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Pest
I got 5 or 6 of these e-mails this morning. I instantly delete and block any e-mail I get from an unrecognized source.

I got 2 this morning, they simply said "Hello" in the title but had the same message as the article said with a file attached.

9 posted on 01/27/2004 7:41:03 AM PST by Always Right
[ Post Reply | Private Reply | To 4 | View Replies]

To: Pest
" I instantly delete and block any e-mail I get from an unrecognized source."

Thanks to good advice (gleaned while lurking) , I've installed several free goodies to combat spam and bugs, and they seem to be working great.

'Adaware' for the bugs, 'AVG' for viruses, and 'Mailwasher' for the spam. I've gone overboard with the spam-scrubber, but it's been satisfying!

10 posted on 01/27/2004 7:47:33 AM PST by Crowcreek
[ Post Reply | Private Reply | To 4 | View Replies]

To: Crowcreek
If you haven't already done so, I suggest you also get zonealarm firewall.

Free version.

11 posted on 01/27/2004 7:55:08 AM PST by ASA Vet (Darn, I forgot a tag line again.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Always Right
Three said "Hello" and one said "Hi" in the title.

One or two were error messages that said that they were returned e-mails.

All had an attachment.
12 posted on 01/27/2004 8:00:43 AM PST by Pest (I will choose Free Will!)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Pest
Me,too.
13 posted on 01/27/2004 8:02:06 AM PST by MEG33 (America will never seek a permission slip to provide for the security of our country)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Clive
It got past my company's excessivly (IMHO) secure firewall and email screening. I've recieved four copies this morning alone.
14 posted on 01/27/2004 8:08:20 AM PST by The_Victor
[ Post Reply | Private Reply | To 1 | View Replies]

To: Clive
Read later.
15 posted on 01/27/2004 8:10:22 AM PST by EagleMamaMT
[ Post Reply | Private Reply | To 1 | View Replies]

To: Clive
I'm getting some of these from a .edu address but they do not have attachments. Odd.
16 posted on 01/27/2004 8:12:34 AM PST by 1Old Pro
[ Post Reply | Private Reply | To 1 | View Replies]

To: ASA Vet
Good advice. It's one of the first things I ever did -- Another great 'find' (lurking at FR) . . .

Between Zonealarm and my slow dialup, I've never felt too exposed.

However, the first time I ran Adaware, it found seven 'objects'!

17 posted on 01/27/2004 8:19:04 AM PST by Crowcreek
[ Post Reply | Private Reply | To 11 | View Replies]

To: Crowcreek
Another good one is BENIGN, from the same company that developed Mailwasher.
18 posted on 01/27/2004 8:20:34 AM PST by RedWhiteBlue (<a href="http://www.michaelmoore.com" target="_blank">miserable failure)
[ Post Reply | Private Reply | To 10 | View Replies]

To: RedWhiteBlue
Hey- Thanx!
19 posted on 01/27/2004 8:22:52 AM PST by Crowcreek
[ Post Reply | Private Reply | To 18 | View Replies]

To: Clive
Another one making the rounds today is Worm_MIMAIL.R. There have been several varients of this one. Check Symantecs Security Response website for more details.
20 posted on 01/27/2004 8:26:21 AM PST by Dead Corpse (For an Evil Super Genius, you aren't too bright are you?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Crowcreek
'Adaware' for the bugs, 'AVG' for viruses, and 'Mailwasher' for the spam. I've gone overboard with the spam-scrubber, but it's been satisfying!

I use Adaware, MicroTrend AV, Mailwasher and Zonealarm, plus a few others.

Next, someone will figure out how to send virii via fax. lol
21 posted on 01/27/2004 9:16:07 AM PST by TomGuy
[ Post Reply | Private Reply | To 10 | View Replies]

To: TomGuy
I use Linux.

:-)

22 posted on 01/27/2004 9:40:51 AM PST by Clive
[ Post Reply | Private Reply | To 21 | View Replies]

To: CholeraJoe
My company got 1200 in the last 12 hours.

Yeah, we were at 9,000 plus in the first 12 hours. I've stopped counting at this point.

23 posted on 01/27/2004 9:53:16 AM PST by Ol' Sox
[ Post Reply | Private Reply | To 6 | View Replies]

To: Clive
my anti virus is working overtime this morning and my spam filter. most of the emails with the virus are coming in the spam crap.
24 posted on 01/27/2004 10:20:45 AM PST by suzyq5558 (WARNING! this tagline does not dial 911..........)
[ Post Reply | Private Reply | To 1 | View Replies]

To: suzyq5558
what are your spam emails saying.
25 posted on 01/27/2004 10:28:36 AM PST by mlbford2
[ Post Reply | Private Reply | To 24 | View Replies]

To: mlbford2
the ones infected are subject line, HI,Hello, email error. but my norton anti-virus is weeding them all out.also i never open attachments even from my friends and family inless i know they are sending like a video or family pic's. i have spam pal installed for my email. it sends all spam to the crap file for deletion. it has been a very good program for me i dont have to mess with it a lot and it dosnt seem to have any bugs,i recomend it.but you do have be very careful when setting it up cause you are changing some of your POP3 settings. i did manage to it all on my own without any help from hubby so it is doable:)
26 posted on 01/27/2004 10:51:06 AM PST by suzyq5558 (WARNING! this tagline does not dial 911..........)
[ Post Reply | Private Reply | To 25 | View Replies]

To: mlbford2
Oh iam not bothering with the message source on infected messages,should i be looking at them?
27 posted on 01/27/2004 10:52:31 AM PST by suzyq5558 (WARNING! this tagline does not dial 911..........)
[ Post Reply | Private Reply | To 25 | View Replies]

To: Mitchell
I assume the virus only infects if you open the attachment.

But, who, these days ever opens an attachment from an unknown sender??

28 posted on 01/29/2004 4:50:34 PM PST by Allan
[ Post Reply | Private Reply | To 1 | View Replies]

To: Allan
I assume the virus only infects if you open the attachment.
But, who, these days ever opens an attachment from an unknown sender??

Well, many viruses do come from known senders, since, when a virus infects a machine, it may look on that machine for e-mail addresses to send to. So when you get it in turn, it may come from somebody who has corresponded with you before.

This virus apparently takes a trickier approach though. It looks like a bounced e-mail of yours, but you have to click on the attachment to see what the e-mail was. Apparently that was enough to get a lot of people to let their guard down for just a moment and click.

Overall, the biggest effect is probably the overloading of mail servers. This has slowed both incoming and outgoing mail on some servers considerably.

29 posted on 01/30/2004 2:39:53 AM PST by Mitchell
[ Post Reply | Private Reply | To 28 | View Replies]

To: Mitchell
Recently I have received several messages with attachment
that claimed to be bounced e-mail
(sent to addresses that I do not recognize).

I only open an attachment
if it is from someone I know
and they have explained to me carefully
what the attachment is.

In fact I normally delete immediately
without opening
any e-mail
from an address that does not look familiar.

Are there people who don't do this??!!
30 posted on 01/30/2004 1:02:16 PM PST by Allan
[ Post Reply | Private Reply | To 29 | View Replies]

To: Allan
Recently I have received several messages with attachment that claimed to be bounced e-mail (sent to addresses that I do not recognize).

Most spam and some viruses use false "From" headers (there's no authentication on that). Sometimes you can tell where a message really came from by looking at the IP addresses in the headers.

When one of these messages bounces, it bounces back to the person whose address was forged in the original header. (It's like a postal letter with a false return address written on the envelope.)

I only open an attachment if it is from someone I know and they have explained to me carefully what the attachment is.

I agree, that's essential.

In fact I normally delete immediately without opening any e-mail from an address that does not look familiar.

I don't think this last part is practical for many people, especially in business, who have to answer email from customers or from the public. Even a teacher is unlikely to be able to recognize the e-mail address of every student or past student who they might want to hear from.

Are there people who don't do this??!!

There are many people who click on attachments, or we wouldn't be getting these massive onslaughts. Some of these people are foolish or gullible, but many probably just had a momentary lapse, and clicked quickly on something without thinking about it. That's all it takes.

The situation is exacerbated by all the people in business and academia who send virtually everything as an attachment (a Microsoft Word document, or an Excel spreadsheet, or the like). This places people in the position where they have to open attachments regularly as part of their job, and they become accustomed to it and end up thinking of it as good computing practice. In fact, most of the time, there's no reason to send, for instance, a Word document rather than plain text. Not only does it expose you to viruses, but it's more awkward to read, it prevents easy searching through your past e-mails for some text you remember, it requires you either to have an up-to-date version of some proprietary software or to find a substitute, etc.

In any case, I wouldn't use an e-mail client that will run an executable sent to me in the mail with just a click. And I would avoid running operating systems that have a flawed approach to security.

31 posted on 01/30/2004 11:12:54 PM PST by Mitchell
[ Post Reply | Private Reply | To 30 | View Replies]

To: Mitchell
Even a teacher is unlikely to be able to recognize the e-mail address
of every student or past student who they might want to hear from.

I have a special account for students only
and I tell them that I will not read any student e-mail
sent to any other account.

Furthermore, all students must provide their name in the subject line.

In general, if an e-mail is from an unknown address
and the subject line does not provide concrete evidence
that the person knows me
then I delete it immediately.

It is possible that I delete some genuine messages intended for me
but I suspect that happens very rarely.

32 posted on 01/30/2004 11:49:58 PM PST by Allan
[ Post Reply | Private Reply | To 31 | View Replies]

To: Allan
It is possible that I delete some genuine messages intended for me but I suspect that happens very rarely.

I'm sure you're right. I've occasionally enjoyed hearing from people who knew me many years ago; I'm not sure whether the subject line in those cases would have tipped me off, but it does happen rarely.

On the other hand, people in business will have to answer e-mail from many individuals who are either wholly unknown to them or who are very casual, barely-known business acquaintances. Even in academia, this would apply, for instance, to someone holding a department chair position.

But this is probably moot. One of the tricky aspects of these viruses is that they frequently do seem to be coming from somebody you know. (That's due to the fact that when they propagate themselves, they often harvest e-mail addresses from files on the machine they're on, and then mail themselves to those addresses.)

The success of the latest worm appears to be due in good part to its social engineering: the text in the body was believable for long enough to get some people to click without getting suspicious first.

33 posted on 01/31/2004 1:46:45 AM PST by Mitchell
[ Post Reply | Private Reply | To 32 | View Replies]

To: Clive; All
Go to "last" & scroll backwards:

http://www.freerepublic.com/focus/f-news/969366/posts
Worm and Virus Wars- the August Edition
various FR links & posts | 08-23-03 | The Heavy Equipment Guy
34 posted on 01/31/2004 1:54:00 AM PST by backhoe (Just an old Keyboard Cowboy, ridin' the TrackBall into the Sunset...)
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson