Mydoom worm spreading rapidly across networks

27 Jan 2004

UPDATE – A new email virus that gives hackers unauthorised access to computers is spreading rapidly and is already beginning to clog corporate networks.

The worm, known either as Mydoom or Novarg, is carried as an email attachment and automatically sends itself to email addresses in address books once it is opened. The email arrives as an attachment with an .exe, .scr, .zip or.pif extension and can have a subject line of “test” or “status”. Users who ignore or delete the email avoid damage. When a user clicks on the attachment, it starts the Notepad application, filled with random characters and will start to spread immediately.

The worm has been tagged as a “triple threat” because of social engineering designed to make unsuspecting users more likely to click on the infected attachment. It uses a text icon or MS-DOS icon to make the file appear safe. It can use .zip as its format, which means it may get by some email gateways which typically only block .exe files. The offending email also tries to suggest that it has been reformatted to fit through an email gateway, fooling recipients into thinking that it simply contains part of the message. This latter factor has especially helped contribute to the worm’s spread, said Dermot Williams, managaing director of the security software provider Systemhouse Technology.

It is understood that the virus may also open up a backdoor for hackers to enter networks. The worm is believed to contain code that tells the Windows operating system on an infected computer to receive instructions from another computer, creating the potential for a denial-of-service (DOS) attack on websites. The worm also contains a programme that can record keystrokes entered on infected machines and gather crucial information such as passwords and user names.

According to security experts Network Associates, the email is spreading rapidly across all geographies and is already beginning to clog up servers.

By John Kennedy