[IP] Old news for IPers E - Mail Worm Clogging Network Traffic
E - Mail Worm Clogging Network Traffic
January 27, 2004
By THE ASSOCIATED PRESS
Filed at 5:18 a.m. ET
SAN JOSE, Calif. (AP) -- Network administrators were
working to stop a fast-spreading e-mail worm that looks
like a normal error message but actually contains a
malicious program that spreads itself and installs a
program that leaves an open door to infected computers.
The worm -- called ``Mydoom,'' ``Novarg'' or
``WORM--MIMAIL.R'' -- was replicating itself so quickly
that some corporate networks were clogged with infected
traffic within hours of its appearance Monday. Its mail
engine could send out 100 infected e-mail messages in 30
seconds, experts said.
It runs on computers running Microsoft Corp.'s Windows
operating systems, though other computers were affected by
slow network and a flood of bogus messages. About 3,800
infections were confirmed within 45 minutes of its initial
discovery, according to the security firm Central Command.
``This has all the characteristics of being the next big
one,'' said Steven Sundermeier, Central Command's vice
president of products and services.
It appeared to first target large companies in the United
States -- and their computers' large address books -- and
quickly spread internationally, said David Perry, global
director of education at the antivirus software firm Trend
Micro.
``As far as I can tell right now, it's pretty much
everywhere on the planet,'' said Vincent Gullotto, vice
president of Network Associates' antivirus emergency
response team.
Unlike other mass-mailing worms, Mydoom does not attempt to
trick victims by promising nude pictures of celebrities or
mimicking personal notes. Instead, one of its messages
reads: ``The message contains Unicode characters and has
been sent as a binary attachment.''
``Because that sounds like a technical thing, people may be
more apt to think it's legitimate and click on it,'' said
Steve Trilling, senior director of research at the computer
security company Symantec.
Subject lines also vary but can include phrases like ``Mail
Delivery System'' and ``Mail Transaction Failed.'' The
attachments have ``.exe,'' ``.scr,'' ``.cmd'' or ``.pif''
extensions, and may be compressed as a Zip file.
Besides sending out tainted e-mail, the program appears to
open up a backdoor so that hackers can take over the
computer later.
Symantec said the worm appeared to contain a program that
logs keystrokes on infected machines. It could collect
username and passwords of unsuspecting users and distribute
them to strangers. Network Associates, however, did not
find the keylogging program.
The worm also appears to deposit its payload into folders
open to users of the Kazaa file-sharing network. Remote
users who download those files and run them could be
infected.
Symantec also found code that would flood The SCO Group
Inc.'s Web site with requests in an attempt to crash its
server, starting Feb. 1. SCO's site has been targeted in
other recent attacks because of its threats to sue users of
the Linux operating system in an intellectual property
dispute. An SCO spokesman did not return a telephone call
for comment Monday.
Microsoft offers a patch of its Outlook e-mail software to
warn users before they open such attachments or prevent
them from opening them altogether. Antivirus software also
stops infection.
Christopher Budd, a security program manager with
Microsoft, said the worm does not appear to take advantage
of any Microsoft product vulnerability.
``This is entirely a case of what we would call social
engineering -- enticing users to take actions that are not
in their best interest,'' he said.
Mydoom isn't the first mass-mailing virus of the year.
Earlier this month, a worm called ``Bagle'' infected
computers but seemed to die out quickly. So far, it's too
early to say whether Mydoom will continue to be a problem
or peter out, experts said.
``Over the next 24 to 48 hours, we'll have a much better
sense,'' Trilling said. ``Right now, the trend is only
up.''
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/