- The Washington Times - Tuesday, January 27, 2004

E-mail users yesterday continued to fend off mass amounts of unwanted messages sent by a persistent computer worm that has infected millions of computers worldwide.

Computer security companies said they were still receiving constant reports of a worm called W32.Novarg, or MyDoom, which began spreading Monday afternoon via e-mail and is programmed to help spammers hijack computers and use them to send out mass amounts of e-mail anonymously.

As many as one out of every five e-mail messages sent over the Internet yesterday came as a result of MyDoom. Most messages contain subject lines like “Test,” or “Undeliverable mail,” and the messages usually feature unintelligible letters and an attachment file. The attachment, when opened, causes the worm to spread to anyone in the computer’s e-mail address book.

“We’re still seeing very high levels of e-mail,” said Neil Mehta, a research engineer with Internet Security Systems in Atlanta. “It puts a huge load on e-mail servers.”

Internet Security Systems and other computer security companies said that if MyDoom continues to spread rapidly, it will rival some of the most widespread computer worms in history.

More than 90 percent of the infections have come from home computer users. Only users of Microsoft’s Windows 2000, XP, NT, ME, 95 and 98 can be infected by the worm, but users of all platforms can receive the e-mail messages.

Some security analysts said MyDoom will fall short of causing the number of infections created by the SoBig.F worm in August, which infected more than 3 million machines in one 24-hour period, according to Santa Clara, Calif., company Network Associates. Other security analysts compared MyDoom to the BugBear and Blaster worms, which spread to thousands of computers last summer.

Like those other worms, MyDoom is designed to create vulnerabilities in a computer that allow other virus writers or spammers to install software and use that computer to start more attacks without being detected.

Analysts said that in the past year there has been a dramatic increase of spammers using this method to send unwanted e-mail advertisements.

MyDoom “has actually created a huge platform for additional attacks to take place,” said Oliver Friedrichs, a senior manager with Symantec Security Response, a Cupertino, Calif., Internet security firm.

In addition, MyDoom is programmed to commit a “denial of service” attack against the Web site of SCO Group Inc., a Linden, Utah, software company that is suing IBM over its use of the Linux operating system. During a “denial of service” attack, the perpetrator floods a Web site with information, causing it to overload and crash.

SCO said yesterday it is offering a $250,000 reward for information leading to the arrest and conviction of the person responsible for writing MyDoom.

The MyDoom worm is also programmed to spread via the popular file-sharing network known as Kazaa.

Analysts said simply shutting off and restarting a computer will not remove a worm from a computer, and recommended that computer users update their virus software.

Also, they advised against opening any e-mail attachments, even if they come from a trusted source.

“Without actually clicking and running the attachments, there would be no infections,” Mr. Mehta said. He said MyDoom has been unusually successful in propagating, because many e-mail users have not been able to distinguish between legitimate e-mail and e-mail from MyDoom.

Security experts said the worm is designed to not send any e-mail to addresses with a .mil or .edu domain name. They said it is not clear why the worm was designed this way, but suggested that the writer may have been trying to avoid detection by computer users in the military or universities, who have the resources to find out who wrote the worm.


Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.

 

Click to Read More and View Comments

Click to Hide