home users most at risk as New Internet Virus Spreading Fast

[red_len]

New Internet Virus Spreading Fast


NEW YORK -- A new Internet virus was spreading fast
throughout Asia, Australia and Europe but computer
security experts were divided on the seriousness of the
threat from the "Bagle" worm, and reckoned home users
were most at risk.

Experts expected some impact in the United States when
people returned to work Tuesday after a holiday
weekend.

The "Bagle" or "Beagle" worm arrives in an e-mail with
the subject "hi" and the word "test" in the message
body. If the accompanying attachment is executed, the
worm is unleashed and tries to send itself to all
e-mails listed in the user's address book.
Sometimes the attachment is designed to look like a
Microsoft calculator, said David Perry, spokesman for
antivirus software firm Trend Micro Inc.

The virus only affects machines running Microsoft
Windows operating systems.

"It's clumsy," Perry said from Lake Forest, Calif.,
adding that most people knew better than to click on an
attached calculator: "I don't get e-mails with
calculators in it, do you?"

The worm started spreading on Monday and most
corporations have already protected themselves against
it, Perry said.

Carey Nachenberg, chief architect of Symantec Research
Labs in Cupertino, Calif., said home users, not
corporations, were most at risk because companies had
protected themselves quickly.

"We could see this fizzle out in several days,"
Nachenberg said. "Or we could also see a lot of people
infected" if they don't update their antivirus software
--

As Orwell pointed out long ago, pacifism in the face of
armed evil is equivalent to a blind worship of force.
It would be disastrous to entrust our children's fate
to the hands of these sad and complicitous pacifists.

 

[Maxx Pollare]

The voice of "" drifted in on the cyber-winds,
from the sea of virtual chaos...

New Internet Virus Spreading Fast

<snip>


And since it stops propagating on the January 28th there's no doubt
more destructive variants waiting in the wings.

 

[Daniel J. Stern]

The virus only affects machines running Microsoft
Windows operating systems.

Translation, the virus only affects people too stupid to think for
themselves.

 

[David Casey]

Translation, the virus only affects people too stupid to think for
themselves.

I didn't see anything about AOL in there.

Dave
--
You can talk about us, but you can't talk without us!
US Army Signal Corps!!

http://www.geocities.com/davidcasey98
Added Patriot live fire pics from June 2002,
Bosque fire pics from June 2003, CQB training
pics from October 2003, FTX pics from October 2000,
NBC training pics from September 2000, and
Dining Out pics from October 2000!

 

[edward ohare]

I didn't see anything about AOL in there.

LOL.

It indeed sounds like a low grade worm.

 

[Le Mod Pol]

First reported here 1.20.04

New, fast-spreading worm spells 'doom' for many

By Joris Evers
IDG News Service, 01/27/04

A new e-mail worm is spreading rapidly on the Internet,
clogging e-mail servers and staging an attack on the
Web site of Unix vendor The SCO Group, anti-virus
software vendors said.

The worm surfaced Monday and has been given several
names by anti-virus software vendors, including Mydoom,
Novarg and Mimail.R. Experts don't all agree on the
worm's payload, but they do agree that it is spreading
faster than Sobig-F, the worm that topped the charts
for the most widespread e-mail worm last year.
Advertisement:


"It has been moving very quickly for the past three
hours and has been generating a hell of a lot of
e-mail," Vincent Gullotto, vice president of the
Anti-Virus Emergency Response Team at Network
Associates, said Monday afternoon. Some businesses have
shut down their e-mail gateways to block the worm, he
said.

This worm has taken off like a rocket, with well over
20,000 interceptions within just two hours of it being
discovered, Ken Dunham, director of malicious code at
Internet security company iDefense, said in a statement
via e-mail.

Massive spreading of the worm slowed down performance
of the top 40 U.S. business Web sites Monday afternoon,
according to Keynote Systems, a San Mateo, Calif., Web
performance monitoring firm. The average time for a
site to load exceeded four seconds, while they normally
load in two to three seconds, Keynote said in a
statement.

The worm arrives as an e-mail with an attachment that
can have various names and extensions, including .exe,
..scr, .zip or .pif. The e-mail can have a variety of
subject lines and body texts, but in many cases it will
appear to be an error report stating that the message
body can't be displayed and has instead been attached
in a file, experts said.

The sender's address can be spoofed, meaning that the
message could appear to be from a colleague, friend or
the e-mail system administrator.

"This is something you might see from a mail system, so
you click on the attachment," said Sharon Ruckman,
senior director for Symantec Security Response. Only
users of computers running Microsoft's Windows are at
risk, according to Symantec.

Both Network Associates and Symantec agree that when
the attached file is executed, the worm scans the
system for e-mail addresses and starts forwarding
itself to those addresses. If the victim has a copy of
the Kazaa file-sharing application installed, it will
also drop several files in the shared files folder in
an attempt to spread that way.

Symantec also identified more malicious acts. The worm
will install a "key logger" that can capture anything
that is entered, including passwords and credit card
numbers, Ruckman said. Furthermore, the worm will start
sending requests for data to www.sco.com, the Web site
of The SCO Group, which could result in the Web site
going down if enough requests are sent, she said.

The denial-of-service attack on the SCO Web site is
programmed to occur between Feb. 1 and Feb. 12,
according to a Symantec statement on its Web site late
Monday evening.

Anti-virus vendors Trend Micro and F-Secure report that
the worm installs a "backdoor," potentially allowing an
attacker access to the infected system.

SCO has noticed that its Web site performance has
intermittently slowed, but it is too early to say if
there is an attack on the site, said SCO spokesman
Blake Stowell. "It may be showing the early stages of
a denial-of-service attack," he said. SCO has enraged
the open source community by claiming that the Linux
operating system contains software that violates SCO's
intellectual property, and has been the subject of
various attacks on its Web site.

The Mydoom worm so far has spread mostly in the U.S.,
after it was first detected in Russia, e-mail filtering
company MessageLabs reported on its Web site late
Monday night. Information from Trend Micro at the same
time showed the worm is also spreading in Australia,
New Zealand and Japan.

Anti-virus software vendors urge users to update their
anti-virus software and be careful when opening e-mail
attachments. "If you're not expecting an e-mail, don't
open it," Symantec's Ruckman said.

Network Associates' Gullotto expects the worm to keep
causing headaches for a while. "It will be a couple of
days before we're going to get to the point that it
won't have any impact. It has a full head of steam,
there are hundreds of thousands of e-mails and we may
see well into the millions (of e-mails), and possibly
hundreds of thousands of machines infected," he said.

The IDG News Service is a Network World affiliate.

 

[Le Mod Pol]

First reported here 1.20.04

Variant of MyDoom spotted

Anti-virus vendors spot new variant of MyDoom/Novarg

By Ellen Messmer
Network World, 01/28/04

Anti-virus vendors in Romania, Russia and the U.S.
warned Wednesday that they have identified a new
variant of the mass-mailer worm known as MyDoom or
Novarg, a variant that is more dangerous than the
original worm that appeared Monday.

According to Russia-based Kaspersky Labs and
Romania-based BitDefender, the Novarg.B variant that
has just been identified spreads via e-mail and
attachments like its predecessor, in addition to
traveling via the Kazaa file-sharing network.

According to Kaspersky Labs, the worm is about 28K
bytes in size and contains the following text:
“sync-1.01: andy: I’m just doing my job, nothing
personal, sorry.”

Both BitDefender and Kaspersky say the Novarg.B variant
is programmed to attack the Microsoft Web site at
www.microsoft.com in addition to the SCO Web site at
www.sco.com that the original MyDoom/Novarg targets.

Network Associates and Symantec say they also are
examining the code of the new variant. According to
Jimmy Kuo, research fellow at Network Associates AVERT
Labs, the second variant of MyDoom/Novarg is different
in that it injects itself into the Microsoft Windows
operating system directly.

“Removing it by hand is practically impossible,” he
said, noting that any infection caused by the B variant
will require cleanup tools. Some anti-virus vendors,
including the Network Associates McAfee division and
Symantec, have made free cleanup tools available for
the original MyDoom/Novarg worm. They also have
supplied commercial paid-for tools to their anti-virus
software subscribers.

The new variant has a slightly different back door,
sending out messages.

Analysis of the worm code is still ongoing at most
anti-virus firms.

The new variant may be making use of infected desktops
to spread. Mihai Neagu, virus researcher at
BitDefender, predicted a new wave of infections of this
mass mailer. It appears to be far more dangerous than
the original variant. According to Kaspersky Labs, the
worm appears to modify the standard “hosts” file in the
Windows folder of the victim’s desktop so that the user
cannot access some sites, including security-related
Web sites. These appear to include sites
www.f-secure.com, www.sophos.com, www.symantec.com, the
www.nai.com site from Network Associates, the Kaspersky
Web site at www.viruslist.ru, www.trendmicro.com,
www.ca.com of Computer Associates, and several related
FTP sites for security protections.

In addition, sites for DoubleClick, FastClick and
others are also blocked.

Anti-virus vendors Kaspersky and Network Associates say
they believe a new signature update is required to
block the virus. Network managers should caution
employees against opening file attachments known to
carry the MyDoom and Novarg at least until new
anti-virus software updates are on desktops and
gateways to protect against MyDoom/Novarg version B.

 

[Le Mod Pol]

First reported here 1.20.04

The Mydoom virus has been around for only a few days,
and already it is perhaps the most insidious on record.
Not only has it spread extremely quickly, but it has
opened up ports on hundreds of thousands of systems - a
fact that has not gone unnoticed among malicious
hackers who might want to take control of those
systems. Security companies are warning that they see
thousands of scans for infected machines and are
implying that many of those scans are hackers.
Meanwhile, a new variant of Mydoom is starting to make
the rounds, a variant that
is more difficult to remove from a system.


<http://www.nwfusion.com/news/2004/0128hackers.html?net>

Hackers Capitalizing on Mydoom's Success

By Paul Roberts
IDG News Service, 01/28/04

A back door to computer systems opened by the Mydoom
e-mail worm is turning into a bonanza for thousands of
hackers, who are scanning the Internet furiously for
systems infected by Mydoom, anti-virus experts said
Wednesday.

The opening in the defenses of infected computers could
allow malicious hackers to secretly install a Trojan
horse program, keylogging software or simply peruse
files on infected systems, and may make cleanup after
Mydoom difficult, according to interviews with the
experts.

Mydoom, which first appeared on Monday, is still
spreading on the Internet and is believed to have
infected between 100,000 and 300,000 systems worldwide,
according to Craig Schmugar, virus research manager at
the McAfee anti-virus division of Network Associates,
Inc. (NAI).

"Mydoom is still going strong, we're not seeing any
signs of it slowing down," he said Wednesday.

One large corporate customer reported receiving 160,000
Mydoom-infected e-mails an hour Wednesday, he said.

McAfee researchers and those at other anti-virus
companies have also spotted another Mydoom trend:
thousands of computers scanning for a range of
TCP ports opened by the worm.

Those open ports, which range between number 3127 and
3198, are open doors for malicious hackers, said Oliver
Friedrichs, senior manager of Symantec Security
Response at Symantec.

Attackers just have to connect to the open port and
upload spyware or other malicious programs, he said.

"This could mean there are a bunch of attackers out
there looking for machines to compromise," NAI's
Schmugar said.

Symantec counted 2,100 unique systems scanning for the
Mydoom back door Wednesday, Friedrichs said.

NAI puts the number at 2,500 systems and says that as
many as 7,500 infected systems may have been targeted
since late Tuesday, when researchers first noticed the
behavior, Schmugar said.

Removing Mydoom will close the backdoor, removing the
threat, Friedrichs said.

However, if a malicious hacker gets to an infected
system first, cleanup is more complicated, according to experts.

Many anti-virus programs can spot common Trojan horse
and keylogging software, but might not detect every
program, Friedrichs said.

Owners of infected systems would need specialized
software that just looks for such programs, he said.

"This could turn into a big mess," he said.

While that is possible, most Internet users will be
well served with an up-to-date anti-virus package and
an Internet firewall, which can spot Trojan activity on
an infected system, said Richard Smith, an independent
computer security consultant in Boston.

Also, some of the scanning may come from system
administrators who are trying to spot infected machines
so they can disinfect them, Schmugar said.

The Internet community should be more worried about the
hundreds of thousands of Mydoom-infected computers that
are now at the beck and call of the Mydoom author,
Smith said.

"Anything more than 50,000 systems is scary," he said.
"The author knows where the systems are and he can
easily upload software to them."

The Mydoom-B variant that appeared Wednesday included
features for cutting off access to anti-virus Web sites
and may be an effort to further groom the population of
infected machines, he said

A zombie network that large could be used to distribute
spam, viruses or Internet scams, he said.

"Whoever is behind (Mydoom) could cause a lot of
mischief," he said.

The IDG News Service is a Network World affiliate.
 


Variant of Mydoom spotted
<http://www.nwfusion.com/news/2004/0128variantb.html?net>