`MyDoom' virus infects e-mail

Big headache: That's one assessment of the fast-moving infection.

January 28, 2004|By Dan Thanh Dang | Dan Thanh Dang,SUN STAFF

K.C. Hopson knew there was trouble when a customer called his Ellicott City company, EventRebels.com, with problems registering for a conference on his Web site. The second clue that something was terribly awry surfaced when Hopson's employees began receiving more than 40 e-mail messages addressed to people who don't work for the online registration company.

"We deleted all of the e-mails, immediately," Hopson said yesterday after his business was one of thousands across the country struck by an e-mail virus named "MyDoom" or "Novarg.A." Analysts who track Internet traffic said it was one of the fastest moving cyber-infections they have seen. By some estimates, it affected one of every nine e-mail messages yesterday.

Security experts said early indications suggested that MyDoom was targeted at a Utah corporate software company.

The virus shut down e-mail systems at large corporations and bogged down Internet traffic. It also reportedly shut down Internet gateways for several major telecommunications and financial institutions, said Network Associates of Santa Clara, Calif., maker of the McAfee Antivirus software.

Security experts said the MyDoom virus was first detected late Monday. While it initially seemed benign, the virus created a mass-mailing of itself to any e-mail address it could find or generate. The worm also enabled hackers to gain remote access to a network.

MessageLabs, a leading provider of e-mail security services, intercepted more than 1.2 million copies of MyDoom. Copies of it were detected in 168 countries.

"This is probably the most widespread virus so far this year," said Johannes Ullrich, chief technology officer at the Internet Storm Center at the SANS Institute in Bethesda. "It uses fake e-mail addresses, tricks file sharers into downloading it ... and tries to send e-mail out as fast as it can.

"At this point, it's a big headache, but it could get worse."

A computer virus is a program or a piece of code designed to spread itself to multiple files and applications on a single computer. Viruses are usually spread by users sending e-mail attachments, trading programs on CDs or diskettes or copying files to file servers.

A worm - similar to a virus - also replicates itself over a computer network and usually performs malicious actions, such as using up the computer's resources and possibly shutting down a system.

According to security experts, MyDoom is expected on Feb. 1 to launch a denial of service attack on a Web site for the SCO Group Inc., a Lindon, Utah, company that claims it owns a part of the code powering the popular Linux open-source operating system.

It also has a trigger date to stop the virus from spreading on Feb. 12

SCO Group yesterday offered a $250,000 reward for information leading to the arrest and conviction of the individual or individuals responsible for creating the virus.

Anti-virus firms compared MyDoom to recent worms such as SoBig, an e-mail worm that managed to infect more than 100,000 machines before it was contained last fall, and Bugbear, a mass-mailing worm that attacked financial institutions last summer by sending sensitive data to public Internet e-mail addresses.

In this recent attack, experts said MyDoom also targets Microsoft Corp.'s Windows operating system. Computer users coming across the virus will likely see an e-mail message with a subject line containing words such as: test, hi, hello, server report, mail transaction failed or error.

Preying on computer users' concerns about system failures, experts said, the virus tricks people into opening an attachment with short messages that say, "Mail transaction failed. Partial message is available," or "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

If the virus program is executed, computer users will most likely see a Notepad session pop open with garbled text, experts said.

"We've actually upgraded the worm from a level 3 to level 4 threat on a scale of 1 to 5," said Oliver Friedrichs, senior manager with Symantec Security Response in Cupertino, Calif. "Once it gets into a system directory, it adds a registry key, survives a re-boot, installs a back door that allows individuals to connect and send files to the infected system.

"What someone could do is install software like key loggers to monitor keystrokes on a computer," or capture credit card information or other financial and personal information, Friedrichs said.

Although the attack's origin is unclear, MessageLabs said it identified an e-mail message containing the first copy of the MyDoom virus that was sent from Russia.

Yesterday, computer specialists were inundated with calls from computer users.

"We've got our tech guys running around everywhere," said Laura McInerney, owner of a Geeks on Call franchise in Columbia. "But the weather is really slowing us down."

At EventRebels.com, Hopson said his company is very aware of computer security, but couldn't avoid the clutches of MyDoom.

"We have anti-attachment policies. We have spam filters. We download anti-virus patches all the time," Hopson said. "We don't open anything from anyone you don't know. We know better."

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.