Date: Tue, 27 Jan 2004 17:02:08 -0500 (EST) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Virus Alert: MyDoom Worm ------------------------ VIRUS ALERT: MYDOOM WORM ------------------------ On January 26th a new worm called "MyDoom" began spreading very rapidly across the Internet via e-mail and via KaZaA file sharing. It is also known by a variety of other names: "Novarg", "Mimail.R", "Shimgapi", "Shimg", and several variations on the word "MyDoom". We have seen a large number of MyDoom-infected e-mails here at BCPL.NET. Most virus information Web sites rate the MyDoom Worm as very dangerous due to the very rapid speed at which it is spreading. The MyDoom Worm infects PCs running Windows 95, Windows 98, Windows 2000, Windows NT, Windows ME, Windows XP, and Windows 2003 Server. It does not infect DOS, Macintosh, UNIX or Windows 3.x computers. How The MyDoom Worm Spreads --------------------------- MyDoom is spread in the form of an e-mail file attachment that installs the worm on the target PC if the attachment is opened. It also spreads via KaZaA peer-to-peer file sharing. Via E-Mail: ---------- When a PC becomes infected, MyDoom compiles a list of target e-mail addresses from addresses found in the address book, in saved e-mail, and in other files on the infected computer. It then mails infected file attachments to all those addresses. It does this each time the infected PC boots up and connects to the Internet. The e-mail carrying the infected file attachment is in the following format: From Address: Selected by the virus from its list of target addresses, so the message may appear to come from someone you know. There is also evidence that the From address is sometimes constructed from common first names with the target domain name added (for example john@bcpl.net, mary@bcpl.net, etc). To Address: In addition to addresses found on the infected PC, there is also evidence that the To address is sometimes constructed from common first names with the target domain added (for example john@bcpl.net, mary@bcpl.net, etc). Subject: Chosen at random from the following list: - error - hello - hi - mail delivery system - mail transaction failed - server report - status - test - [any random collection of characters] The words on the Subject line may or may not be capitalized. Message Text: Chosen at random from the following list: - test - Mail transaction failed. Partial message is available. - The message contains Unicode characters and has been sent as a binary attachment. - The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. - [any random collection of characters] File Attachment: The name of the infected file attachment is chosen at random from the following list: - body - data - doc - document - file - message - readme - test - text - [any random collection of characters] The file name extension may be BAT, CMD, EXE, PIF, SCR, or ZIP. Sometimes dual extensions are used, in which case the first extension is HTM, TXT or DOC. If you receive e-mail matching the above description, delete it. DO NOT open the file attachment! The MyDoom Worm infection is not carried by e-mail intentionally sent by the owner of the infected PC. MyDoom sends out its infected e-mail without the knowledge of the PC's owner, using mailer routines built into the worm. Via KaZaA: --------- When a PC is infected, MyDoom searches the Windows Registry for a value containing the location of a KaZaA shared folder. If found, the worm copies itself to that folder with the following file names: - winamp5 - icq2004-final - activation_crack - strip-girl-2.Obdcom_patches - rootkitXP - office_crack - nuke2004 The file name extensions may be BAT, EXE, SCR or PIF. Once installed in the KaZaA shared folder, the MyDoom-infected files are distributed via the KaZaA peer to peer file sharing network. What MyDoom Does To The Infected PC ----------------------------------- In addition to turning the infected PC into an unwitting redistributor of the the MyDoom Worm, the worm sets up a backdoor on the infected PC that allows an attacker to connect to the computer and use it as a proxy for malicious activities. For example, an attacker can install software that allows him to use the infected computer as a spam relay. The MyDoom Worm also uses the infected computer to participate in a denial of service (DoS) attack against www.sco.com. On February 1st all computers infected by MyDoom will begin requesting the main page of that Web site once every second, the aim being to overload SCO's web server. How To Protect Your PC From MyDoom Worm Infection ------------------------------------------------- o If you have anti-virus software on your PC, *and* if it is configured to scan incoming e-mail for viruses, *and* if its virus description database is up-to-date enough to know about MyDoom, then it will stop MyDoom before it can infect your PC. However the virus description database must be *very* new. The MyDoom Worm was discovered and described by the major anti-virus software vendors on January 26, 2004, so a virus description database older than that will not enable your anti-virus software to detect and stop MyDoom. We recommend that you update your virus description database at least once a week, although given the rate at which new PC viruses appear once a day would be even better. If you do not keep your virus description database up to date, then your anti-virus software is virtually useless. o If you receive a message containing a file attachment DO NOT open the attachment unless ALL of the following are true: - The sender is known to you. - You are expecting a file attachment from that person. - The sender clearly identifies the nature of the file attachment in the text of the message. If any one of those three statements is not true, delete the message. DO NOT open the file attachment. When in doubt, get in touch with the apparent sender to confirm that he/she actually sent the attachment. o If you use KaZaA or any of the other peer-to-peer file sharing networks, be VERY careful what you download. It is estimated that at least 50% of the files made available via peer-to-peer file sharing are "malware", meaning viruses, worms, trojans and other malicious programs disguised as something else. o In the final analysis you are your own best defence against virus infection. All it takes is a bit of common sense. How To Remove the MyDoom Worm From An Infected PC ------------------------------------------------- If your PC becomes infected by MyDoom, and if you have anti-virus software on the PC, then your virus definition database must be too old to detect MyDoom. Otherwise your anti-virus software would not have allowed the worm to infect your PC in the first place. Update your virus definitions database, then use the anti-virus software to scan your hard drive. If you do not have anti-virus software, or if you have trouble with the software vendor's instructions for dealing with a MyDoom-infected PC, or if you just want a quick fix, we recommend that you download and run the "Stinger" utility provided free of charge by McAfee. You will find it on the McAfee web site at: http://vil.nai.com/vil/stinger/ Stinger will remove MyDoom and several other recent worms and viruses. Please follow the instructions on the Stinger web page very carefully! IMPORTANT: In order to remove MyDoom you need Stinger version 1.9.7 (or later), which was posted to the Network Associates web site on January 26th. If you already have an older version of Stinger, it will not remove a MyDoom infection. More Information About The MyDoom Worm: -------------------------------------- This alert was compiled from information found on the following well-known virus information Web sites. Please visit them if you are interested in more detailed information about the MyDoom. http://us.mcafee.com/virusInfo/default.asp?id=mydoom http://www.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html http://www.F-Secure.com/v-descs/novarg.shtml http://www.sophos.com/virusinfo/analyses/w32mydooma.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091