[sbinews] Important! Virus warning - MyDoom/Novarg (CNN)

  • From: "Rajendra S. Pai" <rajendra.pai@xxxxxxxxx>
  • To: <sbinews@xxxxxxxxxxxxx>
  • Date: Wed, 28 Jan 2004 14:07:14 +0530

MyDoom virus fastest yet
Wednesday, January 28, 2004 Posted: 0651 GMT
(CNN) -- The so-called "MyDoom" virus has become the fastest-spreading virus
yet seen, hitting hardest in the U.S. and Australia, according to figures
from security expert MessageLabs.

The company, a provider of managed e-mail security services, claimed
Wednesday it has intercepted more than 1.8 million copies of the new
mass-mailer worm, known as W32/Mydoom.A-mm.

More than 100,000 copies are being intercepted every hour, a spokesman said.

It is feared the virus could affect one in 12 e-mails.

Sobig.F, which struck last August and has been regarded as the most
devastating virus, had a peak infection ratio of 1 in 17 e-mails.

"MyDoom has surpassed Sobig.F as the fastest spreading mass-mailer ever,"
claimed David Banes, MessageLabs' Asia Pacific technical director.

The message in MyDoom is sent as a binary attachment. It often arrives in a
zip archive of 22,528 bytes and is represented by a text icon even though it
is an executable file, which are renowned for carrying viruses.

While the body of the e-mail varies, it usually includes what appears to be
an error message, such as: "The message cannot be represented in 7-bit ASCII
encoding and has been sent as a binary attachment."

MessageLabs' Mr Banes said: "A text file icon leads people to believe it is

Sharon Ruckman, the head of anti-virus firm Symantec's security response
team, agreed. "This one is almost begging you to click on the attachment,"
she said.

Mr Banes continued: "This virus appears to have hit a sweet spot in
execution and propagation. Its success and back-door Trojan component could
further increase the prevalence of open proxies for nefarious purposes".

Mr Banes cautioned e-mail users not to open suspicious attachments in
unexpected e-mails as the worm takes over their computer, allowing hackers
to use their machine to send out spam.

The virus is most active in the United States, Australia, Canada and Britain
and has been seen in 168 countries.

MyDoom is a mass-mailing worm that attempts to spread via e-mail and by
copying itself to any available shared directories used by web site such as

The worm harvests addresses from infected machines and targets files with
the following extensions: .wab, .adb, .tbb, .dbx, .asp, .php, .sht, .htm and

It also tries to randomly generate or guess likely e-mail addresses to which
to send itself.

Initial analysis by MessageLabs technicians suggests Mydoom opens a
connection on TCP port 3127, an indication of a remote access component.

The worm is also known as "Novarg" or "WORM_MIMAIL.R".

Virus experts suggest its author is a fan of the Linux open source community
because the bug, which targets computers running Microsoft Windows, launched
a Denial of Service Attack on SCO's site.

Utah-based SCO Group, owner of the UNIX operating system, claims some
versions of the Linux operating system use its proprietary code.

"The MyDoom worm takes the Linux Wars to a new intensity," said Chris
Belthoff, an analyst for anti-virus firm Sophos.

"It appears the author of MyDoom may have taken the war of words from the
courtrooms and Internet message boards to a new level by unleashing this
worm which attacks SCO's Web site."

Web-monitoring firm Keynote said MyDoom has slowed Internet performance

"We're essentially watching the virus follow the sun as the various time
zones come online," MessageLabs Chief Technical Officer Mark Sunner said.

The worm is contained in e-mails with random senders' addresses and subject

When loaded, some versions of the worm launch Notepad and show random
characters. At the same time it replicates itself, opens a backdoor that
could allow hackers to break in and, in some instances, installs a
"keystroke" program that records everything being typed, including passwords
and credit card numbers.

The worm is also spreading via popular Internet file sharing networks such
as Kazaa, where it appeared with names such as "Winamp5" "ICQ2004-final."

Nullsoft's Winamp offers an MP3 music-playing tool and ICQ is a popular Web
chat program.

The best thing to do to stop the spread of the worm, experts said, was to
ignore or delete it. And to update anti-virus software.

After a relative lull in the number of viruses distributed during the
holidays, anti-virus experts said last week's "Bagle" worm and now "MyDoom"
were keeping Internet security gurus on their toes.

"The virus writers [are] ... back from vacation and they've started pushing
out their creations," said Vincent Gullotto, who runs Network Associates'
McAfee Anti-Virus Emergency Response Team.


A program that makes copies of itself -- for example, from one disk drive to
another, or by copying itself using e-mail or another transport mechanism.

Aside from installing anti-virus software,  Symantec suggests these tips to
guard against computer worms:

.Don't open e-mail from an unknown source.

.Only open expected e-mail attachments.

.Don't automatically open e-mail attachments.

.Don't download programs from Web sites, unless you know and trust the

.Update your anti-virus software at least every two weeks.

Source: Symantec

Email From ""Rajendra S. Pai" <rajendra.pai@xxxxxxxxx>" was security checked by 
3.90  version of CxProtect(tm)
On: mail_store at: 14:14:41, 28-Jan-2004 Wednesday
Mailing list (sbinews@xxxxxxxxxxxxx) related information:

News/articles about SBI and Banking related matters published  in the print 
media, Internet etc will be circulated through this Mailing List. 

The messages in this list will help in improving awareness of SBI and its 
activities vis-a-vis the happenings in the Banking industry. This should be of 
help to all staff members of SBI, particularly those who are preparing for 
promotional written tests/interviews/group discussions. Subscription to this 
Mailing List is simple and FREE. Please check the procedure below. Please share 
this information with other colleagues/branches that could be interested in 
subscribing to this Mailing List. 

The messages circulated here should not be deemed to have the official 
endorsement of the SBI or any of its employees. The correct factual position 
may be ascertained from official sources. 

To join this mailing list, just send an email to sbinews-request@xxxxxxxxxxxxx 
with the word 'subscribe' without the quotes in the subject of the email 

To leave this mailing list, just send an email to sbinews-request@xxxxxxxxxxxxx 
with the word  'unsubscribe' without the quotes in the subject of the email 

Archives (old messages) are available for viewing at:
Click on the month-year at the lower left corner to view messages posted during 
that month. 

This is an announcements/newsletter type mailing list i.e. only the Moderator/s 
can post messages to the list. 

This mailing list is maintained and moderated by Sri. R.S.Pai, currently 
working as Chief Manager(IT-Internet Banking), SBI, Corporate Centre, Mumbai. 
Visit http://rspai.tripod.com for some useful Banking, Reference and Utilities 

Other related posts:

  • » [sbinews] Important! Virus warning - MyDoom/Novarg (CNN)