Random Image
Virus: MyDoom, Shimgapi, Novarg, W32/Mydoom.A@mm
Wednesday, 28 January 2004




Not anything to do with snowboarding I know, but important enough for me to post about.
There is currently a virus spreading trough out systems everywhere, it's causing me no end of problems regarding bogus emails which I am receiving from random addresses.
My system (and I suggest yours should be too) is protected by Symantec virus protection which scans each email I receive and deletes the attachment accordingly. However, I have performed additional scans using the tool which can be downloaded from here http://www.f-secure.com/tools/f-mydoom.zip
numerous checks have shown my machine to be clean of this virus. However, I have established that as part of its attack the virus fakes the e-mail sender address so it appears the virus is being sent by someone other than the person whose machine is actually infected. It also tries to verify the domains of addresses. To this end any emails received from 0-21.co.uk domain containing this virus have not been generated from my machine.
if you would like to know more about the virus, what it does etc....read on
NAME: Mydoom
ALIAS: Shimgapi, Novarg, W32/Mydoom.A@mm
SIZE: 22528
An e-mail virus is running rampant through the Internet, infecting a host of large corporations and generating an avalanche of e-mail, thanks to a novel use of both virus and spamming tactics.
The virus, dubbed "Mydoom" by antivirus software maker Network Associates Inc. and "Novarg" by rival Symantec Corp. It's creating an outbreak experts expect to be larger than that of any other recent e-mail virus, including those in the "Mimail" and "SoBig" families of viruses.
"It's something of the likes of which we've never seen before because of the way that it's spreading," said Vincent Gullotto, vice president of Network Associates' Antivirus Emergency Response Team.
Two of the company's customers reported that 1,000 e-mails per minute were hitting their e-mail gateways, he said, and at least four Fortune 500 companies have reported infection. Such victims can quickly advance a virus, such as Mydoom, that harnesses internal e-mail lists because their internal address books are enormous.
Sharon Ruckman, senior director of Symantec Security Response, said the outbreak, already massive in its first hour of existence, looks like it will be comparable to the terrible "Nimda" outbreak of September 2001.
Network Associates is rating the virus "high outbreak," its highest threat rating, while Symantec rates it four on a scale of one to five.
Late Monday, antivirus software makers were rushing to dissect the virus to see what other harm, aside from floods of e-mail, it's designed to cause in order to provide customers with software updates to block it and tools to clean infected PCs. They were urging all customers to update their software immediately and corporations, in particular, to block dangerous message attachment types. They urged companies infected with Mydoom to block all outgoing e-mail until they're able to clean up.
Full evaluations of the virus were still underway, but experts said Mydoom drops a backdoor that hackers can use to enter victim machines at a later time.
According to Symantec's Web site, it's designed to launch a so-called denial of service against www.sco.com, the home page of software company SCO Group Inc. (SCOX, news) . Such attacks aim to flood a site with bogus traffic in the hopes of shutting it down.
The SCO site was functional recently, though slow to download.
SCO suffered a number of these coordinated attacks last year, and at the time blamed supporters of the Linux operating system. SCO, based in Linden, Utah, roiled the Linux community after it filed a lawsuit against International Business Machines Corp. (IBM, news) claiming some of SCO's Unix software code was copied into Linux. SCO is seeking royalties from Linux users.
In addition, SCO last week sued Novell Inc. (NOVL, news), alleging that it is falsely claiming ownership of Unix and interfering with SCO's rights to the operating system. Novell said it has rights covering Unix software and will " vigorously defend" itself.
SCO spokesman Blake Stowell said the virus is designed to direct victim PCs to attack the SCO's corporate Web site, but declined to speculate on who might be behind the attack. Stowell said he has heard reports that the site was downloading slowly, but said the company's measurement tools pointed to normal site operation.
"As of right now, we're not in the middle of a DOS attack," he said. However, Stowell conceded "we could be in the beginning stages of this now."
SCO's information-technology team and Internet-service provider -- a denial of service victim's best ally -- are monitoring the situation closely and looking to see what defensive measures may be available. Denial of service, or DOS, attacks tend to be difficult to stop because it's hard to separate "good" customer traffic from "bad" attack traffic.
Other viruses have tried to create networks of "zombie" PCs for launching DOS attacks, the most famous being August's "Blaster" network worm, which was programed to direct infected machines to attack Microsoft Corp. (MSFT, news)'s (MSFT, news) security-patch download site. Microsoft sidestepped the attack by changing the site's address.
In its movement through the Internet, Mydoom works like a standard e-mail virus: A Windows PC user activates the virus by opening its message's virus- laden attachment, and the virus sends itself out to the addresses it finds in the PC's address book. It also tries to spread by copying itself into any shared directories in the PC that are used by the KaZaA peer-to-peer file sharing network.
Mydoom uses messages with randomized subject lines and can have any of several message texts, including: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment,"; "The message contains Unicode characters and has been sent as a binary attachment."; and "Mail transaction failed. Partial message is available."
Those messages are designed to trick users into opening the attachment, in a futile effort to read what they imagine is a message with formatting problems. In some cases, the opened attachment looks like a Notepad file, a simple type of text file users know to be safe, said Symantec's Ruckman.
Like SoBig before it, Mydoom fakes the e-mail sender address so it appears the virus is being sent by someone other than the person whose machine is actually infected. It also tries to verify the domains of addresses it harvests and then mail itself to myriad made-up names at that domain, in a tactic that appears to mimic a spammer's "dictionary attack."
"The e-mails are literally bogus. They will come back to the machine that sent them as bounced, creating an additional dimension of mail we have not seen before," Mr. Gullotto said.
One Network Associates customer said it got 20,000 messages in one hour from 3,400 different Internet protocol addresses, or PCs, suggesting that the other 16,600 messages came from bogus addresses.
F-Secure is upgrading the Mydoom (Novarg) worm to Level 1 because of increased infection reports around the world. The worm sends email attachments with a random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension.
MessageLabs has now intercepted 1.2 million copies of W32/Mydoom.A-mm. The company is processing between 50,000 and 60,000 copies of the worm an hour. To date, the worms peak infection rate is 1 in 12 of all email scanned be MessageLabs. So far, the worm has been seen in 168 countries.

  No Comments.
You need to login or register to post comments.
< Prev   Next >

Status Center

No users online
Guests: 2