January 27, 2004

MyDoom Spreads Gloom

In case you've been bombarded by strange e-mails over the past two days and don't know why, there's a new bad boy in town named MyDoom, with AKAs of Novarg and Mimail.R by the various antivirus providers. Right now, experts are saying this could be the next big one. Among other things, it's been reported to do the following:

  • Travels as an e-mail attachment, and by social engineering it entices recipients to open the attachment which infects PCs. (Never underestimate social engineering -- it's one of the reasons blogs are so popular in search engine results.)
  • Sends out 100 infected e-mail messages in 30 seconds to e-mail addresses stored in the computer's address book and other documents. (Interestingly, it specifically avoids distribution to certain domain names and e-mail accounts -- presumably so these organizations and accounts are not infected.)
  • Copies itself to the Kazaa download directory on PCs if Kazaa is installed. The offending file is one of seven file names: Winamp5, icq2004-final, Activation_Crack, Strip-gril-2.0bdcom_patches, RootkitXP, Officecrack and Nuke2004, with a file extension of .PIF, .SCR, .BAT, or .EXE.
  • Performs a Denial of Service (DoS) starting on February 1, 2004, and has a trigger date to stop spreading on February 12, 2004.
  • Opens up a backdoor so that hackers can download and execute files later (some speculate that this may be for launching other DoS attacks).
  • Affects computers running Windows 95, 98, ME, NT, 2000 and XP.
  • Per Wired News, there were conflicting reports as to whether or not it includes a key-logging program. Although the key-logging discovery was attributed to Symantec, it doesn't appear to have the keylogger component mentioned on their Novarg security response page.

This worm looks to be more of a social protest, which probably explains MyDoom's partially selective nature. According to CNet News, MyDoom is programmed to instruct infected PCs to launch a Denial of Service (DoS) attack against the SCO Group's web server between Feb. 1 and Feb. 12. Per CNET, "[t]he SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims."

My best advice regarding e-mail attachments is this: Even if you recognize the sender of the e-mail, never click on any e-mail attachment that is an executable (e.g., ending .PIF, .SCR, .BAT, or .EXE.). It also helps if you have Windows configured to NOT hide file extensions, so you can see files' true extension names. This worm spreads if one opens the attachment. As Nancy Reagan once put it: "Just Say No" to strange attachments. However, if you absolutely must open them, make sure your antivirus definitions are completely updated, and always scan suspect attachments prior to opening them (don't rely upon your antivirus program to catch it on the fly).

For more information:

"Tricky E-Mail Worm Spreads Fast", Wired News, Jan. 26, 2004
"Gloomy Forecast for MyDoom Fallout", CNet News, Jan. 27, 2004
Symantec Security Response for W32.Novarg.A@mm

Topic(s):   Privacy & Security
Posted by Jeff Beard