January 26, 2004

MyDoom virus hammering Windows systems

Author: Chris Preimesberger

SECOND UPDATE A new Windows virus, called MyDoom (officially, W32/Mydoom@MM) and circulating in the form of a 32K Zip file, began hitting corporate and private e-mail boxes Monday at about 1 p.m. Pacific Standard Time. It masquerades as a Kazaa P2P component and tries to embed itself in the Kazaa shared folder for music and other file-swapping.

The virus, also known as Novarg and Shimgapi, apparently affects only Windows 95 systems and later. Macintosh, Linux, UNIX, Windows 3.X, DOS, and OS/2 systems are not affected.

It was quickly spreading Monday through email and the Kazaa network, the latter of which averages anywhere from 2 million to 5 million users at any given time.

F-Secure, an Internet security software maker based in Finland, came out with a detailed report later Monday afternoon in which it said "the worm opens Notepad with garbage data in it. It also attacks SCO.com with a DDoS-attack."

As of 5:15 p.m. PST, the SCO Group's Web site was up and running despite the threat.

"In one hour, Network Associates itself received 19,500 e-mails bearing the virus from 3,400 unique Internet addresses," Network Associates vice-president Vincent Gullotto told C/net. Network Associates is the maker of McAfee Security antivirus software.

Once the virus is embedded in a computer, it installs a program that allows the computer to be controlled remotely. The PC then starts sending data to the SCO Group's Web server, a Symantec spokesman told C/net. Cupertino, Calif.-based Symantec also published a detailed report.

McAfee posted one of the first analyses of the worm Monday afternoon. The virus package, which contains an infected .pif, .scr, .exe, or .cmd file, is sent from spoofed email addresses. Early on it usurped the names of familiar IT-related sites, including NewsForge.com, The Street.com, PCMag.com, Circuitnet.com, AOL.com, FoxNews.com, BEA.com, and Yahoo.com. The virus takes addresses from an infected machine's Outlook address book.

Some of the infected files come disguised as "Mail Delivery System" messages, or error messages. Often there are no headers on them or type in the message field.

The icon used by the file tries to make it appear as if the attachment is a text file, McAfee says in its description. When the file is run, it copies itself into the computer registry to hook the computer startup. From there it creates a DLL in the Windows system directory and opens a connection on TCP port 3127, suggesting remote access capabilities, McAfee said.

Upon executing the virus, Notepad is opened, filled with nonsense characters. Security experts continue to examine the package.


  • Security
Click Here!