MyDoom virus, e-mail virus, mass-mailing worm

ADVERTISEMENT
FIGHT BACK

January 29, 2004-- The mass-mailing MyDoom virus has become the fastest spreading program to date and the damage could continue for several months or much longer.

The virus, also known as Novarg (F-Secure), W32.Novarg.A@mm (Symantec), Win32/Shimg (CA), WORM_MIMAIL.R (Trend), spread quickly across the Internet, traveling as an e-mail attachment and infecting PCs whose users opened the malicious file.

Virus Characteristics

This is a mass-mailing worm that arrives in an email message as follows:

From: (spoofed)
Subject: (Random) possibly; "Mail Delivery System," "Test" or "Mail Transaction Failed."
Body: (Varies, such as) possibly; "The message contains Unicode characters and has been sent as a binary attachment." and "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)

The icon used by the file tries to make it appear as if the attachment is a text file

When opened, the virus installs a stealth program on the victim's computer that opens up a software "back door." Attackers can then bypass the PC's security and turn the system into a bounce point, or proxy, for any network-based attack.

It copies itself to the local system with the following filenames:

This file tries to spread via email and by copying itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages with one of seven file names: Winamp5, icq2004-final, Activation_Crack, Strip-gril-2.0bdcom_patches, RootkitXP, Officecrack and Nuke2004.

The mailing component harvests address from the local system. Files with the following extensions are targeted:

Additionally, the worm contains strings, which it uses to randomly generate, or guess, addresses.

Attackers can use the proxies to hide their real locations, making it very difficult to trace the origin of an online assault.

Remember, The Code Red worm? Well it infected Windows computers running Microsoft's Web server software, called Internet Information Server. While the primary infection hit in July 2001, tens of thousands of computers remain infected with the worm, which is still scanning the Internet looking for vulnerable systems to infect.

The effects of the massive spread of the MyDoom virus have already been felt.

The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP, and arrives in the user's in-box as an attachment to an e-mail message that appears to be an error response from an e-mail server.

With the large number of PCs with poor security, MyDoom-infected computers will be a drop in the bucket. The mass-mailing part will have more of an impact.

Click here to view more current news articles

Did you find this material interesting?
Do you want more information of this type?

Comment via FEEDBACK

What related topics would you like to see covered?
What additional information on this topic would you find useful?

Aliases
Novarg (F-Secure), W32.Novarg.A@mm (Symantec), Win32/Shimg (CA), WORM_MIMAIL.R (Trend)

Source: McAfee, CNET News

Save $5 on McAfee Personal Firewall Plus

Copyright - Unless otherwise stated all contents of this web site are © 1998/2004– JOBWERX.COM. – All Rights Reserved. For permission to reproduce any contents of this web site, please advise our Syndication department: Log onto HELP

Have you seen the Great Deals from top brand name manufacturers? You haven't? What are you waiting for? Get insider promotions. Click Here for deals

Jobwerx makes no representation as to the accuracy of information transmitted herein.