Posted on 01/27/2004 4:50:47 PM PST by yonif
A new e-mail worm that first appeared on the Internet this afternoon is spreading rapidly, according to leading security companies.
The worm is being called several names by antivirus software vendors, including W32/Mydoom, Shimg, Novarg and Mimail.R. It is now being analyzed by the antivirus companies.
Experts differed on the worm's payload, but said it is spreading faster than Sobig-F, the most widespread email worm of 2003.
"It has been moving very quickly for the past three hours and has been generating a hell of a lot of e-mail," Vincent Gullotto, vice president of the Anti-Virus Emergency Response Team at Network Associates Inc., said this afternoon. Some businesses have shut down their e-mail gateways to block the worm, he said.
Massive spreading of the worm slowed down performance of the top 40 U.S. business Web sites Monday afternoon, according to Keynote Systems Inc., a San Mateo, Calif.-based Web performance monitoring company. The average time for a site to load exceeded four seconds, while they normally load in two to three seconds, Keynote said in a statement.
"This worm is taking off like a rocket, with well over 20,000 interceptions in just two hours of it being discovered," Ken Dunham, director of malicious code at iDefense Inc. in Reston, Va., said in a statement.
The worm arrives as an e-mail with an attachment that can have various names and extensions. The message can have a variety of subject lines and body texts, but in many cases it will appear to be an error report stating that the message body can't be displayed and has instead been attached in a file, experts said.
"This is something you might see from a mail system, so you click on the attachment," said Sharon Ruckman, senior director for Symantec Corp. Security Response.
Both Network Associates and Symantec agree that when the attached file is executed, the worm scans the system for e-mail addresses and starts forwarding itself to those addresses. If the victim has a copy of the Kazaa file-sharing application installed, it will also drop several files in the shared files folder in an attempt to spread that way.
Symantec also identified more malicious acts. The worm will install a "key logger" that can capture anything that is entered, including passwords and credit card numbers, Ruckman said. Furthermore, the worm will start sending requests for data to www.sco.com, the Web site of The SCO Group, which could result in the Web site going down if enough requests are sent, she said.
SCO has noticed that its Web site performance has intermittently slowed, but it is too early to say if there is an attack on the site, said SCO spokesman Blake Stowell. "It may be showing the early stages of a DOS attack," he said.
SCO has enraged the open source community by claiming that the Linux operating system contains software that violates SCO's intellectual property, and has been the subject of various attacks on its Web site.
Antivirus software vendors urge users to update their antivirus software and be careful when opening e-mail attachments. "If you're not expecting an e-mail, don't open it," Symantec's Ruckman said.
Network Associates' Gullotto expects the worm to keep causing headaches for a while. "It will be a couple of days before we're going to get to the point that it won't have any impact. It has a full head of steam, there are hundreds of thousands of e-mails and we may see well into the millions (of e-mails), and possibly hundreds of thousands of machines infected," he said.
Network Associates Inc.'s McAfee AVERT antivirus lab was analyzing copies of the virus this afternoon.
Research labs at Computer Associates International Inc. received 11 copies of the new worm almost simultaneously today, indicating a rapidly spreading infection, according to a company spokesman.
Mydoom appeared to be a "high risk" virus, according to a spokeswoman.
What if I made that same statement, but instead of "computer" I inserted "car".
How often do you change the oil in your car?
Oil Filter?
Transmission Fluid and filter?
Flush the radiator?
Well, any way, some people aren't as computer and network savvy as others. They should be instructed in a calm manner, not screamed at.
Actually, I think that is it.
Probably not, but the bug that's been going around is a doozy. Take care.
In a strange way, I almost feel sorry for you. It makes me want to put you in my email contacts and get infected just to make you feel a little better.
Whaddya say?
A ".pif" file is a Windows program information file and can essentially be used to call up an executable ".exe" file that can do bad things to your computer.
Outlook blocks ".exe" and ".pif" attached files by default, nowadays, so folks don't just click on an executable or pif to load a virus, trojan, etc.
Check also the related items list on the upper right.
"The SCO Group Inc. isn't taking the upcoming distributed denial-of-service attacks from the MyDoom worm lying down. The company on Tuesday offered a reward of as much as $250,000 for information leading to the arrest and conviction of the individual or individuals responsible for creating MyDoom."
Probably not. A pif file is really a legitimate Windows file - they are used to tell Windows how to run programs that were written for an older DOS enviroment.
The scumbag virus writers began to use pif files after directly attached executable files weren't working well anymore for a couple of reasons; public awareness that launching executable email attachments was not a good idea, and because email clients were being configured to not even allow access to attached executable files.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.