Anti-virus vendors have issued urgent alerts about a fast-spreading new Internet worm, MyDoom, which is exploding globally via e-mails with subject lines such as "Hi".
The worm appears to attempt denial of service attacks on SCO`s Web site. SCO Group has been in the news recently over royalty-related disputes with other vendors and Linux users.
The MyDoom worm was discovered yesterday afternoon and spread so quickly that Trend Micro, Network Associates, Symantec and other anti-virus companies have rated it as a "high" outbreak.
Central Command describes the MyDoom outbreak as the first serious virus outbreak in 2004, which could top Sobig.F as the most prevalent Internet worm within days. Central Command says the new worm is spreading globally, with exceptionally heavy concentrations initially in the US and Europe. Local inboxes were also cluttered with the virus mails this morning, although the exact number of infections is not known yet.
Brett Myroff, CEO of local Sophos distributor Netxactics, says the worm harvests 'to` and 'from` e-mail addresses from a recipient`s mailbox and appears to launch a distributed denial of service attack on SCO`s Web site from infected computers.
He says the e-mail appears to be fairly technical in nature - unlike many mass-mailing worms that use photos or personal-sounding subject lines. It arrives in mail with subject lines such as "hi", "hello", "test" or "status".
"When the MyDoom worm forwards itself via e-mail, it can create its attachment in either Windows executable or Zip file format," says Myroff. "It is possible the worm`s author did this in an attempt to bypass company filters which try and block EXE files from reaching their users from the outside world."
Other anti-virus companies report that it arrives in an attachment with a .scr or .pif extension.
When the worm, also dubbed Novarg, Shimgapi or Mimail-R, is activated, the infected computer`s hard disk is harvested by the worm for more e-mail addresses to send itself to. The worm opens a backdoor onto infected computers, which allows hackers to gain access.
"We`re seeing fast-spreading malicious worms being released one after another today," said Steven Sundermeier, VP of products and services at Central Command, late yesterday.
"Initial reports of MyDoom have already surpassed the other new releases in a matter of minutes. The alarming rate of submissions closely mimics that of later variants of Sobig.F. This has all the characteristics of being the next big one."
Central Command`s Emergency Virus Response Team confirmed over 3 800 infections of MyDoom in fewer than 45 minutes of initial discovery.
Ken Dunham, director of Malicious Code at iDefense, reported early this morning that over 700 000 interceptions had already been made in the first few hours of the outbreak.
"This type of blitzkrieg attack may be leveraging formerly infected zombie computers to quickly spread the worm in the wild. It`s a growing problem in prolific worm attacks, where many computers are compromised with a worm and Trojan mix within a few short hours," says Dunham.
iDefense reports that the 'kill date` for this worm is 12 February, but warns that a new variant could emerge in the wild around that time.
Share