Anti-virus vendor: One in 12 e-mails infected
By Jeordan Legon
CNN Tuesday, January 27, 2004
(CNN) -- A sneaky e-mail worm continued to clog Internet traffic Tuesday, spreading faster than previous Web bugs by appearing as an innocuous error message.
The worm -- dubbed "MyDoom," "Novarg" or "WORM_MIMAIL.R" -- was copying itself at a fierce pace, so fast that some companies were having to shut down their mail servers to stop it.
The bug, which targets computers running Microsoft Windows, launched a Denial of Service Attack on the web site of the Utah-based SCO Group.
Infected messages were intercepted in 142 countries and one in 12 e-mails being protected by Britain-based MessageLabs was carrying the worm, the anti-virus vendor reported. In comparison, the widespread SoBig virus that hit last August -- at its peak -- only attacked 1 out of 17 e-mails handled by the firm. Web-monitoring firm Keynote said MyDoom slowed Internet performance significantly Monday afternoon. And the worm appeared to cause an "uptick in terms of performance" Tuesday morning, said Keynote analyst Roopak Patel.
"We're essentially watching the virus follow the sun as the various time zones come online," MessageLabs Chief Technical Officer Mark Sunner said.
The worm is contained in e-mails with random senders' addresses and subject lines. While the body of the e-mail varies, it usually includes what appears to be an error message, such as: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."
While many computer users are savvy about not opening executable files or other attachments that may contain viruses, the latest worm masks itself as an innocuous text document or a file that your computer appears unable to read.
"This one is almost begging you to click on the attachment," said Sharon Ruckman, the head of anti-virus firm Symantec's security response team.
When loaded, some versions of the worm launch Notepad and show random characters. At the same time it replicates itself, opens a backdoor that could allow hackers to break in and, in some instances, installs a "keystroke" program that records everything being typed, including passwords and credit card numbers.
The worm also was spreading via popular Internet file sharing networks such as Kazaa, where it appeared with names such as "Winamp5" "ICQ2004-final." Nullsoft's Winamp offers an MP3 music-playing tool and ICQ is a popular Web chat program.
Anti-virus experts said MyDoom, which surfaced Monday afternoon, was on track to hit even more machines than Nimda, a 2001 worm that spread widely with an attachment that read "Readme.exe."
This time, besides the "binary attachment" message, MyDoom comes with all different file extensions including .pif, .zip and .csr. It also uses an attachment icon similar to one used for Windows text messages. All of this, security experts warn, was succeeding in tricking people into thinking the e-mail was legitimate.
The best thing to do to stop the spread of the worm, experts said, was to ignore or delete it. And to update anti-virus software.
WHAT IS A WORM?
A program that makes copies of itself -- for example, from one disk drive to another, or by copying itself using e-mail or another transport mechanism.
WARD OFF WORMS
Aside from installing AND MAINTAINING anti-virus software, use these tips to guard against computer worms:
•Don't open e-mail from an unknown source.
•Only open expected e-mail attachments.
•Don't automatically open e-mail attachments.
•Don't download programs from Web sites, unless you know and trust the source.
•Update your anti-virus software at least every two weeks.
