A new mass-mailing worm called Mydoom-A is flooding e-mail inboxes worldwide. Mydoom-A came on with a vengeance overnight and as of 9 a.m. EST today, U.K.-based e-mail security services firm MessageLabs Inc. said the worm was infecting one in every 41 e-mail messages. It had stopped more than 577,000 copies during the last 24 hours.
It appears the worm is also set to launch a denial-of-service attack against the Web site of The SCO Group. The Unix vendor is suing IBM for allegedly improperly donating code from SCO's System V Unix to the Linux kernel and has already been hit be two denial-of-service attacks in the last six months.
Unlike recent worms like Mimail-P, Mydoom doesn't borrow spammer techniques, and that may be accounting for its rapid propagation as it appears to be eluding antispam filters.
Antivirus software vendors have rated MyDoom, also known as Novarg-A (Symantec) or Mimail-R (Trend Micro) as a high-threat. Symantec has it as a 4 or severe threat. McAfee has it as a high risk. F-Secure Corp. has it as a level 1, its highest rating.
"Some countries seem to be hit more than others," said Graham Cluley, senior technology consultant with U.K.-based Sophos PLC. "We have been getting a lot of reports from Australia and America."
The timing of the worm made it less of an issue for Europe because it started to spread during the night there, Cluley said.
Mydoom uses a variety of message bodies and subject lines rendering content filtering useless in preventing infection. Generally, the worm travels as an attachment to a fairly benign-looking e-mail. It commonly uses "Hi", "Hello" or "TEST" as a subject line. "It doesn't use the typical sex-based social engineering. In other words, it's not promising pictures of a tennis player with nice legs," Cluley said.
In some cases, the worm comes attached to a message that appears to be an undeliverable e-mail. The worm uses an icon that makes the attachment appear to be a text file when it's in fact an executable.
"It is clear to me that the worm is specificly targeting corporate e-mail users," said David Perry, Trend Micro Inc.'s global director of education. "It would have thousands more potential connections if it could get into a corporate e-mail account than if it hit an end-user on AOL."
The messages containing Mydoom look like typical messages one would see in a corporate environment. Mydoom sometimes travels as a zip file, which may have added to its success as companies generally allow such files in. On the other hand, companies often block executable files because there aren't many business uses for them.
"It's quite common for companies to exchange information with zip files. Blocking will help prevent infection but it is not a long-term solution," Cluley said.
When infecting a system, Mydoom opens TCP ports 3127 and 3198, enabling remote access to network resources or code execution. It also searchers the machine's hard drive for e-mail addresses to harvest. Mydoom spreads itself via a self-contained SMTP engine.
Initial reports say the worm will launch a denial of service attack against the Web site of The SCO Group on Feb. 1, lasting until Feb. 12. SCO has become the whipping boy for many Linux supporters as the company is suing IBM over code SCO said it donated to the Linux kernel. "There's a lot of people not too enamored with SCO at the moment," Cluley said.
However, the denial of service attack is targeted at the SCO site's IP address, not the domain name. Preventing an attack would be as simple as changing the IP address for www.sco.com. "If it was targeted at the domain name then there would be other problems," Perry said. "The attack wouldn't slow down the Web site but all the DNS servers leading up to it would slow down."
FEEDBACK: What are your best practices in cleaning up a large infeciton like Mydoom?
Send your feedback to the SearchSecurity.com news team.