If your sysadmin seems irate this week, MyDoom is the likeliest cause. To say that the worm is spreading like wildfire is an understatement. Any bug that can knock NASA’s twin Mars rovers off their perch atop tech headlines deserves a closer look.
MyDoom (W32/Mydoom.A), and its latest variant, W32/Mydoom.b@MM are polluting the Internet with junk traffic and spreading over e-mail and KaZaa. In some instances, they account for 1 out of every 12 e-mails, meaning that roughly 8% of every e-mail that drops into an unfiltered inbox carries the damaging payload.
And come February 1, one company is set to feel MyDoom’s sting rather acutely. MyDoom.A has been coded to bombard the site of SCO – now famous (or infamous depending on your view) for the IBM/Linux legal brouhaha – with a denial of service attack. Already, infected PCs with incorrect clock settings are blasting away at SCO.com.
IT departments are being asked not to be dismissive about this threat. Even if few care about the threat it poses to SCO, these worms can leave the pave the way for network intrusions. You see, aside from its voracious appetite, the MyDoom also sets up a backdoor can download and execute files and allow an intruder access.
This week, catch up on the experiences of those enterprising souls that coping with this outbreak and posting their results for the benefit of PC users everywhere.
Note: The opinions expressed below are solely those of the individual posters on the AntiOnline forums.
Direct link to this week’s spotlight thread:
Virus Alert: Novarg / MiMail / MyDoom
It all began with a routine announcement alerting us of the latest threats…
Symantec just issued a new Category 3 Virus alert. The name of the virus is W32.Novarg.A@mm and while the information on it is a little thin, you can read about it here:
Symantec just upgraded this to a Category 4 Alert.
Everyone seems to have settled on calling it MyDoom but it goes by other names.
Aliases listed are:
Novarg (F-Secure), W32.Novarg.A@mm (Symantec), Win32/Shimg (CA), WORM_MIMAIL.R (Trend)
This thing is nasty and propagating like MAD! My company is seeing about 100 per hour for just THIS virus. So far seeing PIF, EXE, CMD, ZIP, and SCR file extensions.
AV vendors that have updates (that I know of) are: McAfee, Sophos, Norman, Symantec.
576869746568617 offers some signatures for IDS users:
…here’s the IDS signature for the trojan portion of the worm. This one is specific to Symantec IS, Manhunt, and SCS (IDS Signature provided by Symantec).
alert tcp any any -> any 80 (msg:"W32_Novarg_SCO_DOS"; content:"GET / HTTP/1.1|0d0a|Host: www.sco.com|0d0a0d0a|"; offset:0; dsize:37;
S3cur|ty4nq31 just posted a snort rule for this virus in this thread.
Be sure to join this discussion and post your knowledge of this latest worm.
What is AntiOnline?
AntiOnline (AO) is home to many of the most popular network security discussion forums online. Here, participants engage in candid, thought-provoking and enlightening exchanges on the latest hazards and how to protect your systems against them.
We invite you to join the AO community (it’s free!), share your wisdom and learn a few things in the process.