Tricky 'MyDoom' e-mail worm spreading quickly

Hackers unleashed an agile worm Monday -- using a sneaky, fairly new tactic to get unsuspecting computer users to diffuse their malicious code.

Dubbed "W32/MyDoom" or "Novarg," the worm circulated so fast anti-virus firms quickly raised threat warnings to "high" saying the bug was one of the worst in recent months.

This is a mass-mailing and peer-to-peer file-sharing worm that bears the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• contains a backdoor component (see below)
• contains a Denial of Service payload

It arrives in an email message as follows:

From: (spoofed email sender)

Subject: (Varies, such as) Error, Status, Server Report, Mail Transaction Failed, Mail Delivery System, hello, or hi.

Body: (Varies, such as)

• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)

While many computer users are savvy about not opening executable files or other attachments that may contain viruses, the latest worm masks itself as an innocuous text document or a file that your computer appears unable to read.

"This one is almost begging you to click on the attachment," said Sharon Ruckman, the head of anti-virus firm Symantec's security response team.

When loaded, some versions of the worm launch Notepad and show random characters. At the same time it replicates itself and installs a "keystroke" program that allows a hacker to break in and record everything being typed, including passwords and credit card numbers.

The worm sends out a slew of messages that forced some companies to shut down their e-mail gateways to stop the infection, said Vincent Gullotto, who runs Network Associates' McAfee Anti-Virus Emergency Response Team.

MyDoom also appeared to launch a Denial of Service attack on the site for SCO Group, a California company which recently sued IBM, challenging that firm's intellectual property in parts of Linux. SCO.com was inaccessible for some time Monday afternoon.

Anti-virus experts said MyDoom was on track to hit even more machines than Nimda, a 2001 worm that spread widely with an attachment that read "Readme.exe."

This time, besides the "binary attachment" message, MyDoom comes with all different file extensions including .pif, .zip and .csr. It also uses an attachment icon similar to one used for Windows text messages. All of this, security experts warn, was succeeding in tricking people into thinking the e-mail was legitimate.

• Symantec
• Network Associates
• CNN
• Computer Associates
• Trend Micro
• F-Secure

Previous TCS Virus Alerts:

• BugBear-B Virus
• Virus Hoax - JDBGMGR.EXE
• "Critical" holes
• MyLife.b
• Dirty Trick
• Critical Patch Available for Microsoft Java Virtual Machine
• Microsoft Security Warnings and Patches
• IE Security Update
• Happy New Year Virus
• Universal Plug and Play
• WORM_GONE.A
• BadTrans.B
• Son of Nimda and Aliz
• Septer.Trojan
• Multiple Vulnerabilities
• Vote Virus
• Nimda
• Multiple Virus Reports SirCam and Code Red
• AOL Virus Hoax
• SULFNBK Hoax
• Homepage Virus
• NakedWife worm deletes Windows files
• Tennis Star - Anna virus alert
• Navidad
• Pikachu Virus
• Two Threats
• Net Zip Spy
• LIFE_STAGES.TXT
• New Love
• I Love You
• 911 Virus Report
• Denial of Service Attacks
• NewApt
• MiniZip