Potent Mydoom worm flooding inboxes

By Edward Hurley, News Writer 27 Jan 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A new mass-mailing worm called Mydoom-A is flooding e-mail inboxes worldwide. Mydoom-A came on with a vengeance overnight and as of 9 a.m. EST today, U.K.-based e-mail security services firm MessageLabs Inc. said the worm was infecting one in every 41 e-mail messages. It had stopped more than 577,000 copies during the last 24 hours.

It appears the worm is also set to launch a denial-of-service attack against the Web site of The SCO Group. The Unix vendor is suing IBM for allegedly improperly donating code from SCO's System V Unix to the Linux kernel and has already been hit be two denial-of-service attacks in the last six months.

Unlike recent worms like Mimail-P, Mydoom doesn't borrow spammer techniques, and that may be accounting for its rapid propagation as it appears to be eluding antispam filters.

Antivirus software vendors have rated MyDoom, also known as Novarg-A (Symantec) or Mimail-R (Trend Micro) as a high-threat. Symantec has it as a 4 or severe threat. McAfee has it as a high risk. F-Secure Corp. has it as a level 1, its highest rating.

"Some countries seem to be hit more than others," said Graham Cluley, senior technology consultant with U.K.-based Sophos PLC. "We have been getting a lot of reports from Australia and America."

The timing of the worm made it less of an issue for Europe because it started to spread during the night there, Cluley said.

Mydoom uses a variety of message bodies and subject lines rendering content filtering useless in preventing infection. Generally, the worm travels as an attachment to a fairly benign-looking e-mail. It commonly uses "Hi", "Hello" or "TEST" as a subject line. "It doesn't use the typical sex-based social engineering. In other words, it's not promising pictures of a tennis player with nice legs," Cluley said.

In some cases, the worm comes attached to a message that appears to be an undeliverable e-mail. The worm uses an icon that makes the attachment appear to be a text file when it's in fact an executable.

"It is clear to me that the worm is specificly targeting corporate e-mail users," said David Perry, Trend Micro Inc.'s global director of education. "It would have thousands more potential connections if it could get into a corporate e-mail account than if it hit an end-user on AOL."

The messages containing Mydoom look like typical messages one would see in a corporate environment. Mydoom sometimes travels as a zip file, which may have added to its success as companies generally allow such files in. On the other hand, companies often block executable files because there aren't many business uses for them.

"It's quite common for companies to exchange information with zip files. Blocking will help prevent infection but it is not a long-term solution," Cluley said.

When infecting a system, Mydoom opens TCP ports 3127 and 3198, enabling remote access to network resources or code execution. It also searchers the machine's hard drive for e-mail addresses to harvest. Mydoom spreads itself via a self-contained SMTP engine.

Initial reports say the worm will launch a denial of service attack against the Web site of The SCO Group on Feb. 1, lasting until Feb. 12. SCO has become the whipping boy for many Linux supporters as the company is suing IBM over code SCO said it donated to the Linux kernel. "There's a lot of people not too enamored with SCO at the moment," Cluley said.

However, the denial of service attack is targeted at the SCO site's IP address, not the domain name. Preventing an attack would be as simple as changing the IP address for www.sco.com. "If it was targeted at the domain name then there would be other problems," Perry said. "The attack wouldn't slow down the Web site but all the DNS servers leading up to it would slow down."

FEEDBACK: What are your best practices in cleaning up a large infeciton like Mydoom?
Send your feedback to the SearchSecurity.com news team.

Tags: Security Management,  Securing the Internet and E-Commerce,  Common Vulnerabilities and Prevention Tips,  Securing the Desktop,  Securing your Products/Platforms,  Security Basics,  Infrastructure and Network Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Management Smart shopper's guide to correlation tools What's your infosec IQ? Countdown begins for Mydoom DDoS attacks Hackers scanning for ports opened by Mydoom National cybersecurity alert system launched Dangerous, familiar application vulnerabilities top list SSL VPNs stealing IPSec's thunder Security insurance may be a smart policy for some China official makes information security a priority Norton woes blamed on bad VeriSign certificates Securing the Internet and E-Commerce Sensitive student data cracked at U. of Georgia Microsoft patches IE spoofing problem Countdown begins for Mydoom DDoS attacks IE update clears up spoofing issue Microsoft to disable spoofing syntax in IE IE flaw could fool users in illicit downloads Mydoom variant targets security features, Microsoft Hackers scanning for ports opened by Mydoom Dangerous, familiar application vulnerabilities top list Worm opens two backdoors, logs keystrokes Common Vulnerabilities and Prevention Tips What's your infosec IQ? IE update clears up spoofing issue Countdown begins for Mydoom DDoS attacks Microsoft to disable spoofing syntax in IE Mydoom variant targets security features, Microsoft IE flaw could fool users in illicit downloads Hackers scanning for ports opened by Mydoom Dangerous, familiar application vulnerabilities top list Worm opens two backdoors, logs keystrokes Slammer lessons remain valid a year later

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary