Heads up - I think i've got this thing in my mailbox 3 times already. Experts: Vicious worm 'Linux war' weapon Anti-virus vendor: One in 12 e-mails infected By Jeordan Legon CNN (CNN) -- A sneaky e-mail worm continued to clog Internet traffic Tuesday, spreading faster than previous Web bugs by appearing as an innocuous error message. The worm -- dubbed "MyDoom," "Novarg" or "WORM_MIMAIL.R" -- was copying itself at a fierce pace, so fast that some companies were having to shut down their mail servers to stop it. And a new clue was emerging as to the source of the infection. Virus experts suggested MyDoom's author was a fan of the Linux open source community, because the bug, which targets computers running Microsoft Windows, launched a Denial of Service Attack on SCO's site. Utah-based SCO Group, owner of the UNIX operating system, claims some versions of the Linux operating system use its proprietary code. "The MyDoom worm takes the Linux Wars to a new intensity," said Chris Belthoff, an analyst for anti-virus firm Sophos. "It appears that the author of MyDoom may have taken the war of words from the courtrooms and Internet message boards to a new level by unleashing this worm which attacks SCO's Web site." Infected messages were intercepted in 142 countries and one in 12 e-mails being protected by Britain-based MessageLabs was carrying the worm, the anti-virus vendor reported. In comparison, the widespread SoBig virus that hit last August -- at its peak -- only attacked 1 out of 17 e-mails handled by the firm. Web-monitoring firm Keynote said MyDoom slowed Internet performance significantly Monday afternoon. And the worm appeared to cause an "uptick in terms of performance" Tuesday morning, said Keynote analyst Roopak Patel. "We're essentially watching the virus follow the sun as the various time zones come online," MessageLabs Chief Technical Officer Mark Sunner said. The worm is contained in e-mails with random senders' addresses and subject lines. While the body of the e-mail varies, it usually includes what appears to be an error message, such as: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." While many computer users are savvy about not opening executable files or other attachments that may contain viruses, the latest worm masks itself as an innocuous text document or a file that your computer appears unable to read. "This one is almost begging you to click on the attachment," said Sharon Ruckman, the head of anti-virus firm Symantec's security response team. When loaded, some versions of the worm launch Notepad and show random characters. At the same time it replicates itself, opens a backdoor that could allow hackers to break in and, in some instances, installs a "keystroke" program that records everything being typed, including passwords and credit card numbers. The worm also was spreading via popular Internet file sharing networks such as Kazaa, where it appeared with names such as "Winamp5" "ICQ2004-final." Nullsoft's Winamp offers an MP3 music-playing tool and ICQ is a popular Web chat program. Anti-virus experts said MyDoom, which surfaced Monday afternoon, was on track to hit even more machines than Nimda, a 2001 worm that spread widely with an attachment that read "Readme.exe." This time, besides the "binary attachment" message, MyDoom comes with all different file extensions including .pif, .zip and .csr. It also uses an attachment icon similar to one used for Windows text messages. All of this, security experts warn, was succeeding in tricking people into thinking the e-mail was legitimate. The best thing to do to stop the spread of the worm, experts said, was to ignore or delete it. And to update anti-virus software. After a relative lull in the number of viruses distributed during the holidays, anti-virus experts said last week's "Bagle" worm and now "MyDoom" were keeping Internet security gurus on their toes. "The virus writers [are] ... back from vacation and they've started pushing out their creations," said Vincent Gullotto, who runs Network Associates' McAfee Anti-Virus Emergency Response Team. http://edition.cnn.com/2004/TECH/internet/01/27/mydoom.spread/index.html
My wife has gotten the infected email about 900 times since last night. She is running an obsolete Windows 95 with no anti-viral software.
Do you post to newsgroups with your email address as the 'reply to' field? I inadvertantly posted to an MS newsgroup using my main email address and I was getting a number of those daily which have since died down. In the meantime, I changed my newsgroup email address to a yahoo account I seldom use and now it's getting bombarded after I posted to a newsgroup.
re:bobrek - yes. I have this account I've had for five or six years and use it on usenet. It sort of pains me to change it because it makes searching for stuff I've done before a bit of a pain. I've changed so now my newsreader puts a spam protected email address, but that original email address is in some mailing lists permanently apparently. The problem with yahoo's free account is the spam fills it up too quickly! I could only get 200 a day because they carried a 100 something K virus payload and filled my inbox.
I've blocked well over 1,000 here at the office. It's very hot. from Messagelabs: The bad thing about this one is it's in .ZIP format which a lot of companies allow through. We block most other known attachment types like : .PIF .SCR .EXE .VBS .COM .SHS
My work email is deluged with them. Arrgggh!!! I just wish I could get my hands on the little pricks who invent this crap.
Mine eventually died down (probably as my posts using that email started vanishing from servers). As far as I know, you just have to wait it out. I changed my MS Outlook definitions to put those emails in a separate folder since the size is fairly consistent. It took about 2 months for them to quit arriving at my primary email address.
Same here. I had to start blocking email address domains for a while. It seemed like they were just *stepping* through every possible from email address.
dude, i got this crapcake on my computer today..showed up 3 times in my scan..removed it using instructions from nick burns, my company's computer guy....ok, his name isn't nick burns, but i do call him that.
My work email has been getting hammered all day long. There were about 12 emails when I got here this morning, and I've gotten about 20 more since then. I'm guessing our IT guys are working hard today.
Man, you absolutley have to love earthlink. I have recieved zero...count them...zero copies of this...or any of the other ones..earthlink's filters are impressive..and they stay on the ball filtering out known virus emails.
On the other hand, I sent a job offer to someone using Earthlink, and the email was bounced back to me saying the spam filters kicked it back. So, I went to the next name on my list.
there is that....the problem there wasnt earthlink's spam/virus filters.... that was a setting in the individual users spam guard filters. If you set them to high..it will bounce good emails.. I am referring to earthlink's virus filters.
