Meet MyDoom, also known as Novarg, the latest mass-mailing Internet worm which hit cyberspace rapidly Jan. 26 and is said to compromise computers to attack the SCO Group's Web server with a flood of data and messages come Feb. 1.
The worm hit so fast, in fact, that major anti-virus companies such as Network Associates, Symantec, and Trend Micro rated it a high outbreak before it was 24 hours old.
Carrying an attachment with an .exe, .scr, .zip, or .pif extension, with subject lines of "test" or "status," it mails itself to addresses in the infected computer (assuming the victim opened the attachment) and has already clogged mail servers and compromised network performances at various businesses, security experts told Reuters late Jan. 26.
"Mailboxes at large corporations are infected and reporting multiple infections throughout their entire organizations," said Trend Micro global education director David Perry to the news wire.
"It's huge," said Network Associates vice president of security Vincent Gullotto to CNET. "We have it as a high-risk outbreak."
Network Associates said it got over 19,000 e-mails bearing MyDoom from 3,400 unique Internet addresses, causing at least one unnamed telecommunications company to shut down its e-mail gateway to stop the worm, CNET said.
SCO Group has been in a running war with the Linux community over the company's claims that "important pieces of the open-source operating system" are in fact covered by Unix, the SCO technology; claims which IBM, Novell, and other Linux supporters and backers have rejected. SCO's Website has been taken down by denial-of-service attacks in the past year and, though none of those proved to have been provoked by viruses or worms, SCO has often enough blamed Linux sympathizers for those attacks.
MyDoom apparently began spreading at about 12 noon PST January 26, CNET said, affecting computers running Windows 95, 98, ME, NT, 2000, and XP. "A lot of the information is encrypted, so we have to decrypt it," said Symantec senior director Sharon Ruckman to the tech news site. Symantec reported 40 appearances of MyDoom within its first known hour, which Ruckman called a high submission rate.
MyDoom also opens a backdoor to the infected system that lets an attacker upload more programs onto the computer and to route the connection to hide the attack's source. It also reportedly copies itself to the KaZaA download directory on any PCs whose users run the popular peer-to-peer file-swapping network program, using up to seven different filenames.
E-mail service provider vice president of engineering Scott Petry told CNET his company expects to trap as many as eight million copies of MyDoom in a single day while the worm's spread is at peak, compared to only 1,400 copies of Sobig.F in its first day and 3.5 million during that bug's peak 24-hour period.
