Monthly newsletter Weekly news roundup Breaking news notification      

Mydoom worm becomes the worst such incident in virus history

Get free weekly news by e-mailThe Mydoom e-mail worm, which was first found on January 26th, has already overtaken Sobig.F as the worst e-mail worm attack in history. The Sobig.F worm spread massively in August 2003 and until now has held the title of the fastest spreading e-mail worm ever. E-mail worms are currently the most common virus type in the world. Automatic network worms can spread even faster, but they are not nearly as common.

According to anti-virus company F-Secure, There are three main reasons behind the fast outbreak of Mydoom:

1. Social engineering: the worm masks the infected e-mails to look like system error messages, prompting people to click on them. Also, some of the infected attachments are inside ZIP archives, which might seem less dangerous to users.

2. Time zones: unlike most other recent e-mail worm outbreaks, Mydoom was found in the middle of business hours in USA and several large corporate networks got infected immediately.

3. Aggressive collection of e-mail addresses: in addition to sending itself to e-mail addresses found from users’ files, the worm also creates new addresses by guessing common user names and prepending them to domain names of found e-mail addresses. It can also bypass some of the tricks people use to hide their e-mail addresses from spammers.

Although Mydoom (aka Novarg) is now very widespread, it does not pose an immediate threat to infected computers. Mydoom launches a worldwide denial-of-service attack from every infected computer against the website www.sco.com, which belongs to SCO, a well known Unix vendor. In fact, some have already nicknamed the virus “ScoBig”. However, this attack should not affect the rest of the Internet.

This attack is programmed to start on Sunday, February 1st, at 16:09:18 UTC. The significance of this exact time is not known. It should also be noted that SCO’s web site has suffered from several denial-of-service attacks over the last months, but none of them have been done by using viruses. It’s also possible the attack against SCO is just a smokescreen to misdirect attention away from the backdoor component in the virus – which is most likely included in order to facilitate sending of spam e-mail messages.

Current estimates show that currently between 20 percent - 30 percent of all e-mail traffic worldwide is being generated by this worm.

F-Secure is urging Internet Service Providers to start dropping infected e-mails instead of delivering them to end users. F-Secure is releasing information for ISPs on how to reliably detect infected e-mails from mail queues with minimum processing power. These solutions are available for free and do not require usage of F-Secure’s products.

Detailed technical description, removal instructions as well as screenshots of the Mydoom worm are available in the F-Secure Virus Description Database at http://www.f-secure.com/v-descs/novarg.shtml

Date: 29th January 2004 •Region: Worldwide •Type: Article •Topic: ISM
Rate this article or make a comment - click here


Copyright 2004 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help