MyDoom E-Mail Worm Spreading Quickly

A fast-moving Windows worm known as MyDoom on Monday began spreading at a furious rate on the Internet.

MyDoom arrives via e-mail and has a randomized senders address and subject line. The body of the message varies, but purports to be an error message, such as: “The message cannot be represented in 7-bit ASCII and has been sent as a binary attachment.”

/zimages/1/28571.gifFor tips from PC Magazine on blocking and removing MyDoom,click here.

The file attachment is often in a ZIP archive format and can have any one of a number of file extensions, including .exe, .pif and .scr. The icon for the attachment looks like the one used for text messages in Windows.

Once the user runs the attached file, the worm copies itself to the machine in the following manner:

• c:Program FilesKaZaAMy Shared Folderactivation_crack.scr
• c:WINDOWSDesktopDocument.scr
• c:WINDOWSSYSTEMtaskmon.exe

One IT manager said he was now blocking all ZIP attachements to limit the spread of MyDoom.

MyDoom also copies itself to the registry in Windows so that it executes at startup, according to a preliminary analysis by Network Associates Inc.s McAfee Security unit. The worm also opens Port 3127 and begins listening for instructions from a remote host.

Much of the data in the worms code is encrypted, anti-virus experts said, making analysis of the worm much more difficult. Some users reported receiving as many as 100 copies of the worm in a 30-minute span on Monday afternoon.

Next page: MyDoom infecting one of 12 e-mails.

Page Two

As IT departments continue to battle the MyDoom worm, it likely will come as little comfort that anti-virus companies are nearly unanimous in their opinion that the worm is the fastest-moving virus theyve ever seen.

MyDoom is now infecting one in every 12 e-mail messages, worse even than the 1:17 ratio achieved last year by SoBig, according to MessageLabs Inc., a New York-based e-mail security company. The company said Tuesday morning that it has stopped more than 1.2 million copies of MyDoom from nearly 170 countries. Late Monday afternoon, officials at Network Associates said that one of the companys customers was blocking 5,000 copies of the worm every minute.

These numbers are only going to get worse in the next few hours, experts say, as users in the western part of the United States come online and begin opening their e-mails.

In addition to its ability to cripple corporate networks, MyDoom also has the ability to launch a denial-of-service attack and its intended target is The SCO Groups Web site. It seems to be doing that job as well, as the much-maligned companys site was unreachable Tuesday morning.

/zimages/1/28571.gifRead“MyDoom More Bad News for SCO.”

At the same time, MyDoom was hardly the only thing attracting security experts attention Monday. Two other viruses, dubbed Mimail.Q and Dumaru.Y also hit the Web in the last couple of days.

Mimail.Q, which debuted Monday, is a polymorphic virus, meaning it changes its characteristics over time. It is a mass-mailer and contains the subject line: “Hi my sweet Nancy.”

The Mimail.Q message body changes, as does the name of the attachment containing the virus, according to MessageLabs Inc., an e-mail security company based in New York.

/zimages/1/28571.gif