Security firm: MyDoom worm fastest yet
CNN technology correspondent Daniel Sieberg assesses the threat of the e-mail virus 'MyDoom.'
|WHAT IS A WORM?|
A program that makes copies of itself -- for example, from one disk drive to another, or by copying itself using e-mail or another transport mechanism.
|WARD OFF WORMS|
Aside from installing anti-virus software, Symantec suggests these tips to guard against computer worms:
Don't open e-mail from an unknown source.
Only open expected e-mail attachments.
Don't automatically open e-mail attachments.
Don't download programs from Web sites, unless you know and trust the source.
Update your anti-virus software at least every two weeks.
(CNN) -- The MyDoom virus has become the fastest-spreading virus yet, hitting hardest in the United States and Australia, security firm MessageLabs said Wednesday.
The British firm, which provides security to companies around the globe, had intercepted more than 1.8 million copies of the new mass-mailer worm in 168 countries, a spokesman said.
More than 100,000 copies are being intercepted every hour, he added. One in 12 e-mails handled by MessageLabs was infected with the worm.
Sobig.F, which struck last August and had been regarded as the most devastating virus, had a peak infection ratio of 1 in 17 e-mails.
"MyDoom has surpassed Sobig.F as the fastest spreading mass-mailer ever," said David Banes, MessageLabs' Asia Pacific technical director.
FBI agents are investigating the source of the worm, also known as "W32/Mydoom.A-mm," "Novarg" or "WORM_MIMAIL.R."
And SCO Group, whose site has been bombarded with a Denial of Service attack by MyDoom, offered a $250,000 reward for "information leading to the arrest and conviction of those responsible for this crime."
"The perpetrator of this virus is attacking SCO, but hurting many others at the same time," SCO's head Darl McBride said. "We do not know the origins or reasons for this attack, although we have our suspicions. This is criminal activity and it must be stopped."
The message in MyDoom is sent as a binary attachment. It often arrives in a zip archive of 22,528 bytes and is represented by a text icon even though it is an executable file, which are renowned for carrying viruses.
While the body of the e-mail varies, it usually includes what appears to be an error message, such as: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."
"A text file icon leads people to believe it is innocuous," Banes said.
Sharon Ruckman, the head of anti-virus firm Symantec's security response team, agreed. "This one is almost begging you to click on the attachment," she said.
Banes cautioned e-mail users not to open suspicious attachments in unexpected e-mails as the worm takes over their computer, allowing hackers to use their machine to send out spam.
MyDoom is a mass-mailing worm that attempts to spread via e-mail and by copying itself to any available shared directories used by Web sites such as Kazaa.
The worm harvests addresses from infected machines and targets files with the following extensions: .wab, .adb, .tbb, .dbx, .asp, .php, .sht, .htm and .txt.
It also tries to randomly generate or guess likely e-mail addresses to which to send itself.
Initial analysis by MessageLabs technicians suggests Mydoom opens a connection on TCP port 3127, an indication of a remote access component.
Virus experts suggest its author is a fan of the Linux open source community because the bug, which targets computers running Microsoft Windows, set off an attack aimed at bringing down SCO's site.
Utah-based SCO, which claims ownership over the UNIX operating system, alleges some versions of the Linux operating system use its proprietary code.
"The MyDoom worm takes the Linux Wars to a new intensity," said Chris Belthoff, an analyst for anti-virus firm Sophos.
"It appears the author of MyDoom may have taken the war of words from the courtrooms and Internet message boards to a new level by unleashing this worm which attacks SCO's Web site."
Web-monitoring firm Keynote said MyDoom slowed Internet performance significantly Monday afternoon, but by Wednesday many companies, made wiser by the SoBig worm, had activated new security plans to protect their computers, security analysts said.
The worm is contained in e-mails with random senders' addresses and subject lines.
When loaded, some versions of the worm launch Notepad and show random characters. At the same time it replicates itself, opens a backdoor that could allow hackers to break in and, in some instances, installs a "keystroke" program that records everything being typed, including passwords and credit card numbers.
The worm is also spreading via popular Internet file sharing networks such as Kazaa, where it appeared with names such as "Winamp5" "ICQ2004-final."
Nullsoft's Winamp offers an MP3 music-playing tool and ICQ is a popular Web chat program.
The best thing to do to stop the spread of the worm, experts said, was to ignore or delete it. And to update anti-virus software.
After a relative lull in the number of viruses distributed during the holidays, anti-virus experts said last week's "Bagle" worm and now MyDoom were keeping Internet security gurus on their toes.
"The virus writers [are] ... back from vacation and they've started pushing out their creations," said Vincent Gullotto, who runs Network Associates' McAfee Anti-Virus Emergency Response Team.
CNN.com's Jeordan Legon contributed to this report.