Advertisement
 
To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------
MyDoom: What is it?

By John McCormick, 0
January 28, 2004
URL: http://www.zdnet.com.au/news/security/soa/MyDoom-What-is-it-/0,130061744,139115860,00.htm


TechRepublic

Mydoom is a mass mailing and peer-to-peer (KaZaA) worm that targets The SCO group. This worm is spreading rapidly and went from a standing start to a category 4 rating at Symantec in one leap.

Another infection released this week, Mimail, is a polymorphic worm that is primarily intended to steal PayPal account information from infected systems. Mimail is difficult to detect because of the changing encrypted code, so antivirus vendors are releasing new decryption algorithms to deal with it.

Of the two, Mydoom is by far the most widespread and fastest spreading, but it probably has a lower damage potential, except that it can clog up corporate mail systems and hog bandwidth. Reports state that these two worms are closely related.

Mydoom
This worm has spread like wildfire and will be difficult to recognize because there are various subject lines and attachment names. Even the attachment extension may appear as .pif, .scr, .exe, .cmd, .bat, or .zip.

According to Symantec (which also designates this malware as Novarg), the subject line will mostly appear to be some sort of error message related to e-mail. This could include: Test, Hi, Error, or Mail Transaction Failed. The origin of this worm might be self-revealing because, when it spreads, the code ignores any .edu e-mail extensions.

The worm collects addresses from infected systems in the following files:

  • .htm
  • .sht
  • .php
  • .asp
  • .dbx
  • .tbb
  • .adb
  • .pl
  • .wab
  • .txt

Also, according to the Symantec report, this worm will plant a backdoor and, on 1 February 2004, it will attempt a distributed denial of service (DDoS). In fact, both Mydoom and Mimail plant a backdoor on infected systems. UDP 3127 is the port opened by Mydoom.

McAfee reports that when an infection occurs, Mydoom will open a copy of Microsoft Notepad filled with nonsense code and text. Also, according to McAfee, the target of the 1 February DDoS attack is the SCO.com URL.

In a very unusual move, CERT has published an Incident Report, IN-2004-01 on this worm, which, CERT reports, is also known as Shimg.

Mimail
Mimail is the other mass mailing worm hitting users this week. It displays a very authentic-looking Windows expiration notice. After scaring users with this, the worm goes on to request every piece of personal information conceivable. When it collects any interesting cookie or other information from the infected computer, it mails the data to an anonymous e-mail account, and then Mimail opens a backdoor on the infected systems. This applies to port 3000 and port 6667 (listening server).

Applicability
Both of these worms strike Windows systems only. Of course, the SCO target is indirectly a Linux/UNIX attack, but it is on the vendor and not on the operating system itself.

Mitigating factors
There are the usual mitigating factors that you have with most viruses. If you have trained your users not to open attachments, then they won't get hit with either one of these worms. Also, keep in mind that both worms may require updated code for antivirus software to catch them.

Fix
Since the backdoor for Mydoom uses UDP port 3127, blocking port 3127 at your firewall will close the backdoor. McAfee also offers the limited free antivirus tool, Stinger, which can detect Mydoom and some other infections. The latest version, 1.9.7, was released on 26 January, 2004 and detects 34 different versions of malware, including both Mydoom and Mimail.

Final word
Due to its recent litigation against Linux, The SCO Group is very unpopular with the Linux community, so Mydoom may be the first serious incident of Linux users attacking a Linux/UNIX vendor, using a Windows vector.

Also, while it's tempting to say that any people dumb enough to fill out the Mimail worm's questionnaire deserve what they get, the worm also scans files in the background and is probably intended mostly to steal PayPal account information rather than to actually get social security numbers, telephone numbers, and other personal information.

TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.

Ã,©2003 TechRepublic, Inc.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.