Update: Fast-Spreading Worm Spells Doom

A new e-mail worm is spreading rapidly on the Internet, clogging e-mail servers and staging an attack on the Web site of Unix vendor The SCO Group, antivirus software vendors say.

The worm surfaced Monday and has been given several names by antivirus software vendors, including Mydoom, Novarg, and Mimail.R (the latest variant of the prolific Mimail virus). Experts don't all agree on the worm's payload, but they do agree that it is spreading faster than Sobig-F, the worm that topped the charts for the most widespread email worm last year.

"It has been moving very quickly for the past three hours and has been generating a hell of a lot of e-mail," says Vincent Gullotto, vice president of the Anti-Virus Emergency Response Team at Network Associates, speaking on Monday afternoon. Some businesses have shut down their e-mail gateways to block the worm, he adds.

Massive spreading of the worm slowed down performance of the top 40 U.S. business Web sites Monday afternoon, according to Keynote Systems, a San Mateo, California-based Web performance monitoring firm. The average time for a site to load exceeded four seconds, while they normally load in two to three seconds, Keynote says in a statement.

Vaccines Available

However, the major antivirus vendors have updated their virus definitions to contain the worm. They urge users to protect their systems and be careful when opening e-mail attachments.

"If you're not expecting an e-mail, don't open it," says Sharon Ruckman, senior director for Symantec Security Response.

Network Associates' Gullotto expects the worm will keep causing headaches for a while.

"It will be a couple of days before we're going to get to the point that it won't have any impact," he says. "It has a full head of steam, there are hundreds of thousands of e-mails and we may see well into the millions (of e-mails), and possibly hundreds of thousands of machines infected," he says.

This worm has taken off like a rocket, with well over 20,000 interceptions within just two hours of it being discovered, says Ken Dunham, director of malicious code at Internet security company iDefense.

How the Worm Turns

The worm arrives as an e-mail with an attachment that can have various names and extensions, including .exe, .scr, .zip, or .pif. The e-mail can have a variety of subject lines and body texts, but in many cases it will appear to be an error report stating that the message body can't be displayed and has instead been attached in a file, experts says.

The sender's address can be spoofed, meaning that the message could appear to be from a colleague, friend or the e-mail system administrator.

"This is something you might see from a mail system, so you click on the attachment," Ruckman says. Only users of computers running Microsoft's Windows are at risk, according to Symantec.

Representatives of both Network Associates and Symantec agree that when the attached file is executed, the worm scans the system for e-mail addresses and starts forwarding itself to those addresses. If the victim has a copy of the Kazaa file-sharing application installed, it will also drop several files in the shared files folder in an attempt to spread that way.

Aimed at SCO?

Symantec also identified more malicious acts. The worm will install a "keystroke logger" that can capture anything that is entered, including passwords and credit card numbers, Ruckman says. Furthermore, the worm will start sending requests for data to www.sco.com, the Web site of The SCO Group, which could result in the Web site going down if enough requests are sent, she says.

The "denial of service" attack on the SCO Web site is programmed to occur between February 1 and February 12, according to a Symantec statement on its Web site late Monday evening.

Antivirus vendors Trend Micro and F-Secure report that the worm installs a "backdoor," potentially allowing an attacker access to the infected system.

SCO has noticed that its Web site performance has intermittently slowed, but it is too early to say if there is an attack on the site, says Blake Stowell, an SCO spokesperson.

"It may be showing the early stages of a DOS attack," he says. SCO has enraged the open source community by claiming that the Linux operating system contains software that violates SCO's intellectual property, and has been the subject of various attacks on its Web site.

The Mydoom worm so far has spread mostly in the U.S., after it was first detected in Russia, e-mail filtering company MessageLabs reported on its Web site late Monday night. Information from Trend Micro at the same time showed the worm is also spreading in Australia, New Zealand, and Japan.

Subscribe to the Security Watch Newsletter

Comments