Fresh Worms Attack E-Mail, Internet Explorer, User Data

By Larry Seltzer  |  Posted 2004-02-25 Print this article Print

Updated: NetSky.C, a k a Moodown.C, and MyDoom.F worms on Wednesday hit Net users hard, bringing the potential for data loss to end users' systems.

A series of new worms spread on the Internet on Wednesday, spreading through conventional e-mail methods. The new versions have escalated their attacks and destructiveness. On the prowl is MyDoom.F worm, which began action on Monday. It is the latest version one of most successful worms on record; earlier MyDoom variants in January launched a series of distributed denial of service attacks (DDoS) against Microsoft Corp. and The SCO Group. The new version retains its predecessors capability to perform a DDoS attack.
"What is interesting about these latest worm trends is that they are very politically motivated. More than your curious teenage hacker at work; these attacks are stemming from groups seeking to make a statement on some of todays most controversial technology issues," said Scott Chasin, chief technology officer of MX Logic Inc., in a statement.
Beyond its DDoS target, MyDoom.F is also more destructive. A PC Magazine analysis of MyDoom.F, said the worm attempts to delete files on the system based on a probabilistic formula, adding an element of destructiveness rarely seen in such worms. The worm also attempts to spread to file sharing users. For all these reasons, antivirus vendors are giving it a higher threat ranking than usual.

Another worm arrived on the scene this week, attacking the ICQ instant message service. Click here to read more about this interesting new approach of malware authors. The latest threat is NetSky.C, which arrived on Wednesday. The worm is a variant of NetSky.B, which spread rapidly earlier this month, according to security vendors. It is also called Moodown.C. According to F-Secure Corp.s analysis of the worm, the new version is compressed with a different program. It also behaves differently in several ways than its predecessor, such as searching far more files for e-mail addresses that it can use to spread itself.

The worm arrives in a ZIP file attachment to an e-mail message. The file inside the ZIP will have two file extensions, the first for an innocuous file type such as .RTF and the second for an executable file type, such as .SCR.

Once run, the work stores a copy of itself in the Windows folder, sets a registry key to load itself at startup, and searches the users files for e-mail addresses, although it does not send itself to addresses with certain strings in them, such as "FBI". It also deletes a number of other registry keys and attempts to copy itself to folders with the string "SHAR" in their names.

Editors Note: This story was updated to to clarify the status of MyDoom.Fs DDoS target. MX Logic officials said the company was not targeted by the worm. Check out eWEEK.coms Security Center at for security news, views and analysis.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel