E-mail Worm

Published: Tuesday, January 27, 2004 at 1:52 p.m.
Last Modified: Tuesday, January 27, 2004 at 1:52 p.m.

SAN JOSE, Calif. (AP) - An e-mail worm that looks like a normal error message but actually contains a malicious program continued to snarl computers around the world on Tuesday.

MessageLabs Inc., which scans e-mail for viruses, said 1 in every 12 messages contained the worm, called "Mydoom" or "Novarg." Security experts described it as the largest virus-like outbreak in months, one made more problematic by its timing.

The worm began spreading rapidly Monday during business hours in the United States, where the world's computers are concentrated. Many recent outbreaks began during Asian business hours _ overnight in the United States _ allowing anti-virus vendors to develop new defenses by the time U.S. companies opened up shop.

"Whenever a virus begins to start in the states, it usually becomes much bigger," said Vincent Gullotto, an anti-virus researcher at Network Associates Inc.

Some corporate networks were clogged with infected traffic within hours of its appearance, and operators of many systems voluntarily shut down their e-mail to keep the worm from spreading during the cleanup.

Mikko Hypponen, manager of anti-virus research at F-Secure Corp. in Finland, estimated that 200,000 to 300,000 computers were hit worldwide.

The worm infects computers using Microsoft Corp.'s Windows operating systems, though other computers were affected by network slowdowns and a flood of bogus messages.

Unlike other mass-mailing worms, Mydoom does not attempt to trick victims by promising nude pictures of celebrities or mimicking personal notes. Instead, one of its messages reads: "The message contains Unicode characters and has been sent as a binary attachment."

"Because that sounds like a technical thing, people may be more apt to think it's legitimate and click on it," said Steve Trilling, senior director of research at the computer security company Symantec.

Besides sending out tainted e-mail, the program appears to open up a backdoor so hackers can take over the computer later.

Hackers, for instance, could later install programs that log keystrokes on infected machines, collecting username and passwords of unsuspecting users and distributing them to strangers. Symantec, however, backed away from earlier statements that such a program was included with the worm.

The worm also places copies of itself in folders used for sharing files through the Kazaa file-sharing network. Remote users who download those files and run them could be infected. Security experts say the spread through Kazaa is minor compared with e-mail.

The worm was also programmed to flood the Web site of The SCO Group Inc. beginning on Feb. 1 with requests in an attempt to crash its. SCO's site has been targeted in other recent attacks because of its threats to sue users of the Linux operating system in an intellectual property dispute.

Microsoft offers a patch of its Outlook e-mail software to warn users before they open such attachments or prevent them from opening them altogether. Antivirus software also stops infection.

Christopher Budd, a security program manager with Microsoft, said the worm does not appear to take advantage of any Microsoft product vulnerability.

"This is entirely a case of what we would call social engineering _ enticing users to take actions that are not in their best interest," he said.

Mydoom isn't the first mass-mailing virus of the year. Earlier this month, a worm called "Bagle" infected computers but seemed to die out quickly.


On the Net:

Microsoft security tips: http://www.microsoft.com/security/protect/default.asp


Associated Press Business Writer Allison Linn in Seattle and Internet Writer Anick Jesdanun in New York contributed to this report.

Reader comments posted to this article may be published in our print edition. All rights reserved. This copyrighted material may not be re-published without permission. Links are encouraged.

Comments are currently unavailable on this article

▲ Return to Top