Company
Press
<< back to Press Releases-Overview
Jan 29, 2004
There are three main reasons behind the fast outbreak of Mydoom:
(1) Social engineering: the worm masks the infected emails to look like system error messages, prompting people to click on them. Also, some of the infected attachments are inside ZIP archives, which might seem less dangerous to users.
(2) Time zones: Unlike most other recent email worm outbreaks, Mydoom was found in the middle of business hours in USA and several large corporate networks got infected immediately.
(3) Aggressive collection of email addresses:in addition of sending itself to email addresses found from users’ files, the worm also creates new addresses by guessing common user names and prep ending them to domain names of found email addresses. It can also bypass some of the tricks people use to hide their email addresses from spammers.
Although Mydoom (aka Novarg) is now very widespread, it does not pose an immediate threat to infected computers. Mydoom launches a worldwide denial-of-service attack from every infected computer against the website > www.sco.com which belongs to SCO, a well known Unix vendor. In fact, some have already nicknamed the virus ÇScoBigÈ. However, this attack should not affect the rest of the internet.
This attack is programmed to start on Sunday, February 1st, at 16:09:18 UTC. The significance of this exact time is not known. It should also be noted that SCO’s web site has suffered from several denial-of-service attacks over the last months, but none of them have been done by using viruses. It’s also possible the attack against SCO is just a smokescreen to misdirect attention away from the backdoor component in the virus - which is most likely included in order to facilitate sending of spam email messages.
Current estimates show that currently between 20% - 30% of all email traffic worldwide is generated by this worm. F-Secure is urging especially Internet Service Providers to start dropping infected emails instead of delivering them to end users. F-Secure is releasing information for ISPs on how to reliably detect infected emails from mail queues with minimum processing power. For details, see the virus description. These solutions are available for free and do not require usage of F-Secure’s products.
F-Secure first warned about the Mydoom worm on January 26th, at 23:05 UTC by issuing a F-Secure Radar Level 2 Alert. Three hours later the alert was raised to Radar 1, which is the highest level. F-Secure shipped detection of the virus at 23:09 UTC - in 1 hours 50 minutes from the moment the first sample of the worm was received.
Detailed technical description, removal instructions as well as screenshots of the Mydoom worm are available in the F-Secure Virus Description Database at > www.f-secure.com/v-descs/novarg.shtml
F-Secure has also released a free tool, which can be used to remove Mydoom from
infected systems. The tool can be downloaded from:
>
www.f-secure.com/v-descs/novarg.shtml.