Skip to comments.
Experts: Mydoom worm spreading faster than last year's Sobig-F [email servers being clogged]
Computer World ^
| JANUARY 26, 2004
| Paul Roberts
Posted on 01/27/2004 4:50:47 PM PST by yonif
A new e-mail worm that first appeared on the Internet this afternoon is spreading rapidly, according to leading security companies.
The worm is being called several names by antivirus software vendors, including W32/Mydoom, Shimg, Novarg and Mimail.R. It is now being analyzed by the antivirus companies.
Experts differed on the worm's payload, but said it is spreading faster than Sobig-F, the most widespread email worm of 2003.
"It has been moving very quickly for the past three hours and has been generating a hell of a lot of e-mail," Vincent Gullotto, vice president of the Anti-Virus Emergency Response Team at Network Associates Inc., said this afternoon. Some businesses have shut down their e-mail gateways to block the worm, he said.
Massive spreading of the worm slowed down performance of the top 40 U.S. business Web sites Monday afternoon, according to Keynote Systems Inc., a San Mateo, Calif.-based Web performance monitoring company. The average time for a site to load exceeded four seconds, while they normally load in two to three seconds, Keynote said in a statement.
"This worm is taking off like a rocket, with well over 20,000 interceptions in just two hours of it being discovered," Ken Dunham, director of malicious code at iDefense Inc. in Reston, Va., said in a statement.
The worm arrives as an e-mail with an attachment that can have various names and extensions. The message can have a variety of subject lines and body texts, but in many cases it will appear to be an error report stating that the message body can't be displayed and has instead been attached in a file, experts said.
"This is something you might see from a mail system, so you click on the attachment," said Sharon Ruckman, senior director for Symantec Corp. Security Response.
Both Network Associates and Symantec agree that when the attached file is executed, the worm scans the system for e-mail addresses and starts forwarding itself to those addresses. If the victim has a copy of the Kazaa file-sharing application installed, it will also drop several files in the shared files folder in an attempt to spread that way.
Symantec also identified more malicious acts. The worm will install a "key logger" that can capture anything that is entered, including passwords and credit card numbers, Ruckman said. Furthermore, the worm will start sending requests for data to www.sco.com, the Web site of The SCO Group, which could result in the Web site going down if enough requests are sent, she said.
SCO has noticed that its Web site performance has intermittently slowed, but it is too early to say if there is an attack on the site, said SCO spokesman Blake Stowell. "It may be showing the early stages of a DOS attack," he said.
SCO has enraged the open source community by claiming that the Linux operating system contains software that violates SCO's intellectual property, and has been the subject of various attacks on its Web site.
Antivirus software vendors urge users to update their antivirus software and be careful when opening e-mail attachments. "If you're not expecting an e-mail, don't open it," Symantec's Ruckman said.
Network Associates' Gullotto expects the worm to keep causing headaches for a while. "It will be a couple of days before we're going to get to the point that it won't have any impact. It has a full head of steam, there are hundreds of thousands of e-mails and we may see well into the millions (of e-mails), and possibly hundreds of thousands of machines infected," he said.
Network Associates Inc.'s McAfee AVERT antivirus lab was analyzing copies of the virus this afternoon.
Research labs at Computer Associates International Inc. received 11 copies of the new worm almost simultaneously today, indicating a rapidly spreading infection, according to a company spokesman.
Mydoom appeared to be a "high risk" virus, according to a spokeswoman.
TOPICS: Business/Economy; Crime/Corruption; Culture/Society; Front Page News
KEYWORDS: email; internet; tech; worm
Navigation: use the links below to view more comments.
first 1-20, 21-40, 41-45 next last
My campus email network has been going on and off yesterday and today. They made a formal announcement concerning this worm a few hours ago. I have received about 5 emails with the virus already.
1
posted on
01/27/2004 4:50:49 PM PST
by
yonif
To: yonif
I've received several in the guise of Undeliverable Mail, or whatever they call it. And my email is a little glitchy today. Grrrrrrrrrr...........
2
posted on
01/27/2004 5:00:34 PM PST
by
EggsAckley
(..................**AMEND** the Fourteenth Amendment......(There, is THAT better?).................)
To: yonif
I've received several copies of it; a lot of them seem to come from ".edu" domains.
For Freepers who haven't already got it, "MailWasher" is invaluable for spotting wonky emails.
3
posted on
01/27/2004 5:02:18 PM PST
by
Grut
To: yonif
Until I had our email servers reject Mydoom emails immediately I was getting 5-10 a minute, all caught by the free antivirus software
ClamAV. Thank goodness for that software.
The email's easy to block "at SMTP time" as the file attachment's base64 encoding always starts with UEsDBAoAAAAAA -- block that and you've stopped 95% of its traffic.
I should put something in the servers that as soon as it seems that signature to slow down processing of the email to a character a second. Either that or send a LART back to the IP address that sent the email.
4
posted on
01/27/2004 5:03:40 PM PST
by
lelio
January 27, 2004
A new e-mail virus is spreading quickly through the Internet hitting e-mail servers, including ours, with as many as 1,000 e-mails a minute. The virus, dubbed "MyDoom" by anti-virus software maker Network Associates Inc. and "Novarg" by rival Symantec Corp., hit just after 4 p.m. yesterday. The result of this virus attack is that our email servers, are working very slowly and sometimes not working at all. We are taking steps to stablize the server but in the meantime email may be unavailable for brief periods.
To prevent the further spread of this virus, do not open attachments on any suspicious emails you receive. If the email has the following characteristics, delete it. DO NOT OPEN THE ATTACHMENT!
The virus-infected emails have the following characteristics:
From: - may be a spoofed address or from someone you know if their computer is infected
Subject: - (one of the following)
test
hi
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message: - (one of the following)
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment: - (one of the following)
document
readme
doc
text
file
data
test
message
body
5
posted on
01/27/2004 5:05:34 PM PST
by
yonif
("If I Forget Thee, O Jerusalem, Let My Right Hand Wither" - Psalms 137:5)
To: EggsAckley
I've received several in the guise of Undeliverable Mail
That's no guise -- what happens is that a person infected with the virus sends email to you@yourdomain.com with a return address of clueless@victim.com. The mail server at @yourdomain.com rejects the email and then sends a bounce back to clueless@victim.com. It shouldn't do that last step.
I'm getting a lot of them with fakes From addresses like "bob" "alice" @ mydomain.com. That's really annoying.
Some anti-virus programs might not pick up on this one as the virus in the file attachment isn't really a MIME compliant file attachment. However some mail clients might still see it as an attachment.
6
posted on
01/27/2004 5:07:55 PM PST
by
lelio
To: yonif; All
7
posted on
01/27/2004 5:08:33 PM PST
by
backhoe
(--30--)
To: yonif
I have received about 50 of these in the last 24 hours. Seems to be slowing now.
8
posted on
01/27/2004 5:11:33 PM PST
by
Martin Tell
(happily lurking for over five years)
To: lelio
Do you mean that it has already found its way into my computer? One of the Mail Delivery messages had as a source something like
"roxyhotcheeks@......something...com Seems pretty suspect. I tried to forward it to earthlink, but THAT got returned. Have I *gasp* "got it?"
9
posted on
01/27/2004 5:12:31 PM PST
by
EggsAckley
(..................**AMEND** the Fourteenth Amendment......(There, is THAT better?).................)
To: backhoe
Great post. Thanks and bookmark and bump post by me.
10
posted on
01/27/2004 5:14:03 PM PST
by
tallhappy
(Juntos Podemos!)
To: EggsAckley
11
posted on
01/27/2004 5:20:13 PM PST
by
brbethke
To: tallhappy
Thanks for looking- Martin Fierro found most of those, but I can vouch for Script Defender- a simple idea that stops a lot of unwanted screwing around with your PC.
I think public flogging ought to be brought back for the cretins who write malicious code.
12
posted on
01/27/2004 5:20:15 PM PST
by
backhoe
(--30--)
To: backhoe
Do you know if AVG has a fix out for it yet?
13
posted on
01/27/2004 5:22:52 PM PST
by
Ronin
(When the fox gnaws -- Smile!!!)
To: yonif
Humm. I got two emails today with strange attachments. The Subject line was "Test." The message was gibberish. And the attachment was "somethingorother.txt ..." The triple dots alerted me to the fact that if I moved over to the right, the actual file was "somethingorother.txt[large blank space].pif.
In other words it wasn't a text file at all, but a .pif file masquerading as a text file. You have to watch out for those. It would probably install a virus if you opened it.
14
posted on
01/27/2004 5:25:23 PM PST
by
Cicero
(Marcus Tullius)
To: Ronin
Do you know if AVG has a fix out for it yet? Not exactly- I haven't read their website today, but when I checked "update now" a new file downloaded.
I make a habit of deleting anything questionable at the server side with Mailwasher. Call me paranoid, but I've had several nasty infections that required fdisk & format to wipe it out.
15
posted on
01/27/2004 5:28:32 PM PST
by
backhoe
(--30--)
To: yonif
If one wonders if they have this and don't have up to date viral software search for
shimgapi If you have it, you are infected.
16
posted on
01/27/2004 5:29:39 PM PST
by
tallhappy
(Juntos Podemos!)
To: EggsAckley
Earthlink's probably blocking that email from going past their servers. You can use Panda's free AV checking too to see if you have the virus.
17
posted on
01/27/2004 5:30:23 PM PST
by
lelio
To: brbethke
Search your computer for the file "shimgapi.dll" If the file is present, you've got it. If the file isn't, you don't. yeah. I just posted this as well.
But, there are other files that aren't necessarily searchable -- and I don't mean taskmon. I found a .pif file after I deleted taskmon and shimgapi.
One needs to do a viral scan with the latest settings is my impression.
18
posted on
01/27/2004 5:31:51 PM PST
by
tallhappy
(Juntos Podemos!)
To: yonif
People are just too lazy to update or install anti-virus or firewall protection. You can get some of these for free (I go through Symantec, however, I have Norton 2004 Anti-Virus and Firewall installed).
A computer is a moderate investment...if you don't want to take the 5 minutes or so a week to maintain it, then don't bother having one.
To: brbethke
Thank you SO much. I will check it out.
20
posted on
01/27/2004 5:39:12 PM PST
by
EggsAckley
(..................**AMEND** the Fourteenth Amendment......(There, is THAT better?).................)
Navigation: use the links below to view more comments.
first 1-20, 21-40, 41-45 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson