Mydoom Virus

***Admin*** · 01-28-04, 10:22 PM

By Paul Roberts
IDG News Service

E-mail carrying the Mydoom virus now accounts for one in every 12 messages.

A new computer virus that spreads using e-mail messages is breaking records for new infections set by the last major e-mail worm, Sobig.F, according to leading antivirus software companies and e-mail security firms.

Infected e-mail messages carrying the Mydoom virus, also known as "Shimgapi" and "Novarg," have been intercepted from over 142 countries and now account for one in every 12 e-mail messages, according to Mark Sunner, chief technology officer at e-mail security company MessageLabs Ltd.

That surpasses the Sobig.F virus record, which appeared last August and, at its peak, was found in one of every 17 messages intercepted by MessageLabs, he said.

Since first detecting the new virus at 1:00 PM GMT on Monday, MessageLabs intercepted almost 1 million infected e-mail messages carrying the virus, Sunner said.

The virus has "followed the sun," hitting hard in the U.S. and Canada late on Monday, then working its way through Asia and Europe on Tuesday, he said.
F-Secure Corp. of Helsinki estimates that around 100,000 computers have been infected with Mydoom so far, said Mikko Hyppönen, manager of antivirus research at F-Secure.
Antivirus experts expect another large wave of infections in the U.S. and Canada on Tuesday morning, as workers who missed the virus late Monday return to their desks, he said.

The worm arrives as a file attachment in an e-mail with a variety of senders and subjects, such as "Hello," and "test." The message body is often technical sounding, imitating the look and feel of an automatically generated message from an e-mail server, Sunner said.

For example, some e-mail messages telling recipients that "the message contains unicode characters and has been sent as a binary attachment," or "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

Users who click on the attachment, which uses a variety of file extensions such as ZIP, SCR, EXE and PIF, are infected with the virus.

The technical pitch is a new twist on so-called "social engineering" techniques used by virus writers to trick users into opening malicious file attachments. Mydoom's authors may have been counting on the fact that people trust the authenticity of computer generated messages more than those purporting to come from other humans, Sunner said.

Mimicking the language of a computer-generated administrative message may have also helped Mydoom spread within large corporations, where employees are used to receiving such messages from administrative systems, according to David Perry, public education director at antivirus company Trend Micro Inc.

Trend Micro saw evidence yesterday of infections from 12 of the Fortune 100 companies, he said.
Once inside such companies, Mydoom could use the enormous bandwidth of those corporate networks and huge e-mail address books as a "springboard" to the rest of the Internet, Perry said.
While Mydoom has shattered Sobig.F records, in many ways the two viruses are the same, antivirus experts agreed.

Both viruses scan infected computers for e-mail addresses that are then targeted by infected e-mail. Also, both Sobig.F and Mydoom are small and contain highly efficient SMTP (Simple Mail Transfer Protocol) engines for sending out copies of themselves. The efficiency of their mail engines means that even a small number of infections can generate a massive amount of e-mail traffic, Hyppönen said.

Finally, both Sobig.F and Mydoom contain a Trojan horse program that gives remote attackers full control of the infected system, he said.

In the case of Sobig.F, experts theorized that the virus was being used to assemble "zombie" networks of machines for distributing unsolicited commercial ("spam") e-mail. A similar motive may be behind Mydoom, though the virus writer's intentions are not yet clear, said Perry.

REFERENCES:
New, fast-spreading worm spells 'doom' for many, Jan. 27, 2004

Keng · 01-28-04, 10:31 PM

Hehe I am getting it on my Pomona email, but doesn't matter. I haven't get destrutive virus for a long time.

***Admin*** · 01-28-04, 10:37 PM

Just beware of e-mails that contain attachments and you'll be fine. And don't click on links from strange e-mails. Delete all unknown emails, even from sender "Uncle Bob."

Create a new 'spam' email account and use that for general purposes. Provide your main e-mail address to people you associate with often (personal).

And make backups of your harddrive like once a month or weekly basis, if you have important files and documents. Once is gone, its gone.

Trader · 01-29-04, 12:01 PM

No wonder. There were some sites I tried visiting and it was down.
Those sites could've been affected by the virus.
And wouldn't the anti-virus program delete virus-contained emails before the user opens it?

***Admin*** · 01-29-04, 01:17 PM

Quote:

Originally Posted by Trader

No wonder. There were some sites I tried visiting and it was down.
Those sites could've been affected by the virus.
And wouldn't the anti-virus program delete virus-contained emails before the user opens it?

Not necessarily. Antivirus program can not guard the users from "new" viruses because the virus is very new and the antivirus company did not yet discover the virus to bring out a new patch for its software.
When the new virus affects the user, then the antivirus company discovers the new virus and come out with the new patch (upgrade) for all the consumers.

01-28-04, 10:22 PM	#1 (permalink)
*Admin* Think About It Joined: Sep 2003 Location: Los Angeles, CA Posts: 4,961	Mydoom Virus By Paul Roberts IDG News Service E-mail carrying the Mydoom virus now accounts for one in every 12 messages. A new computer virus that spreads using e-mail messages is breaking records for new infections set by the last major e-mail worm, Sobig.F, according to leading antivirus software companies and e-mail security firms. Infected e-mail messages carrying the Mydoom virus, also known as "Shimgapi" and "Novarg," have been intercepted from over 142 countries and now account for one in every 12 e-mail messages, according to Mark Sunner, chief technology officer at e-mail security company MessageLabs Ltd. That surpasses the Sobig.F virus record, which appeared last August and, at its peak, was found in one of every 17 messages intercepted by MessageLabs, he said. Since first detecting the new virus at 1:00 PM GMT on Monday, MessageLabs intercepted almost 1 million infected e-mail messages carrying the virus, Sunner said. The virus has "followed the sun," hitting hard in the U.S. and Canada late on Monday, then working its way through Asia and Europe on Tuesday, he said. F-Secure Corp. of Helsinki estimates that around 100,000 computers have been infected with Mydoom so far, said Mikko Hyppönen, manager of antivirus research at F-Secure. Antivirus experts expect another large wave of infections in the U.S. and Canada on Tuesday morning, as workers who missed the virus late Monday return to their desks, he said. The worm arrives as a file attachment in an e-mail with a variety of senders and subjects, such as "Hello," and "test." The message body is often technical sounding, imitating the look and feel of an automatically generated message from an e-mail server, Sunner said. For example, some e-mail messages telling recipients that "the message contains unicode characters and has been sent as a binary attachment," or "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." Users who click on the attachment, which uses a variety of file extensions such as ZIP, SCR, EXE and PIF, are infected with the virus. The technical pitch is a new twist on so-called "social engineering" techniques used by virus writers to trick users into opening malicious file attachments. Mydoom's authors may have been counting on the fact that people trust the authenticity of computer generated messages more than those purporting to come from other humans, Sunner said. Mimicking the language of a computer-generated administrative message may have also helped Mydoom spread within large corporations, where employees are used to receiving such messages from administrative systems, according to David Perry, public education director at antivirus company Trend Micro Inc. Trend Micro saw evidence yesterday of infections from 12 of the Fortune 100 companies, he said. Once inside such companies, Mydoom could use the enormous bandwidth of those corporate networks and huge e-mail address books as a "springboard" to the rest of the Internet, Perry said. While Mydoom has shattered Sobig.F records, in many ways the two viruses are the same, antivirus experts agreed. Both viruses scan infected computers for e-mail addresses that are then targeted by infected e-mail. Also, both Sobig.F and Mydoom are small and contain highly efficient SMTP (Simple Mail Transfer Protocol) engines for sending out copies of themselves. The efficiency of their mail engines means that even a small number of infections can generate a massive amount of e-mail traffic, Hyppönen said. Finally, both Sobig.F and Mydoom contain a Trojan horse program that gives remote attackers full control of the infected system, he said. In the case of Sobig.F, experts theorized that the virus was being used to assemble "zombie" networks of machines for distributing unsolicited commercial ("spam") e-mail. A similar motive may be behind Mydoom, though the virus writer's intentions are not yet clear, said Perry. REFERENCES: New, fast-spreading worm spells 'doom' for many, Jan. 27, 2004 __________________ Cal Poly Forums

01-28-04, 10:37 PM	#3 (permalink)
*Admin* Think About It Joined: Sep 2003 Location: Los Angeles, CA Posts: 4,961	Just beware of e-mails that contain attachments and you'll be fine. And don't click on links from strange e-mails. Delete all unknown emails, even from sender "Uncle Bob." Create a new 'spam' email account and use that for general purposes. Provide your main e-mail address to people you associate with often (personal). And make backups of your harddrive like once a month or weekly basis, if you have important files and documents. Once is gone, its gone. __________________ Cal Poly Forums

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Serious Flaws In Windows Leave Your Computer Open to Attack	Admin	General Discussions	12	02-17-06 10:39 PM

01-28-04, 10:31 PM	#2 (permalink)
Keng Guru Joined: Jan 2004 Posts: 597	Hehe I am getting it on my Pomona email, but doesn't matter. I haven't get destrutive virus for a long time.

01-29-04, 12:01 PM	#4 (permalink)
Trader Enthusiast Joined: Sep 2003 Location: Pomona Posts: 227	No wonder. There were some sites I tried visiting and it was down. Those sites could've been affected by the virus. And wouldn't the anti-virus program delete virus-contained emails before the user opens it?