By Will Sturgeon, 27 January 2004 17:55
NEWS MyDoom - or Shimg - has become the first major infection of 2004, and while the year is still young it will take some beating if it's not to still be the worst come year-end.
Within 24 hours of it first appearing, MessageLabs had intercepted 1.2 million copies of MyDoom, leading the antivirus vendor to pronounce it the fastest-spreading virus of all time.
While vendors have been quick to point out that the email itself is nothing special, its rate of spread and self-propagation has surprised many.
The virus first appeared in Russia and spread overnight - following the sun as business worldwide woke up to infected inboxes.
Simon Perry, divisional vice president security strategy at Computer Associates, expressed an element of surprise that something almost retro in its design can cause such havoc.
"It's nothing unusual as far as technique - it propagates via address list. But it is doing so very effectively," he said. "It seems that we can still have your bog-standard email blaster giving us grief, even in this day of the vulnerability exploit."
However, Perry made it clear that the writer hasn't left everything to chance. The worm does have some tools in its arsenal to evade detection and aid propagation.
"The main reason it is spreading so effectively is that it is highly adaptive in the email form it takes. It spoofs origin address, alters email title, email content and attachment at random," he said.
To date the most headline grabbing element of the worm's existence has been its apparent anti-SCO mission - leading some to suggest it is the latest offensive in the newly coined 'Linux Wars' as techies air their frustrations at SCO's open-source licensing claims.
Graham Cluley, senior technology consultant for Sophos, said: "The MyDoom worm takes the Linux Wars to a new intensity. It appears that the author of MyDoom may have taken the war of words from the courtrooms and internet message boards to a new level by unleashing this worm which attacks SCO's website."
"If we ever get our hands on MyDoom's creator my guess is that he will be an open-source sympathiser. Of course, it's the last kind of assistance the open-source community would want at this time," added Cluley in a statement.
Comments
There are 26 comments. Join the discussion
1. Chad Kitching
I'm no 'expert', but perhaps this has nothing to do with 'Linux Wars' and more to do with the fact that most virus writers are looking for bragging rights and attention, and right now, SCO is in the news, is known to have insufficient resources to fend off a DDoS, and will get the author even MORE press when the act actually happens. I don't know of anyone in the 'open source community' that would support such any actions like the ones this virus takes.
2. Gigi Marga
Bragging rights and attention are indeed the staple foods of most virus programmmers, but the article forgets to mention that the virus is actually a money-making tool: backdoor, private info collector, open proxy, the works.
3. Angus Doyle
The problem is not only the Virus, all the antivirus systems auto-responders are causing more headaches than the actual virus. So take my advice IT People of the world. Disable your notifications and let the rest of us do our job and wiping this little Chimera out.
4. Tim Jarrett
It amazes me that so many companies and individuals are apparently not using virus checking software / firewalls, and still succumb to virus attacks. After all the alerts, warnings and press coverage people are still opening infected messages and spreading the viruses around. What will it take to make people learn ? We are our own worst enemy !
5. Jon Scriven
We block most dangerous attachment types and have various layers of anti-virus software but still got hit. We don't block ZIP files because they are used so widely to distribute files and so the zip files didn't get blocked, the daily virus software update didn't include the pattern for this (we downloaded an emergency pattern but had already been hit by then) and the file icon and Email looked like an innocuous text file with information about a returned Email. Getting the balance between security and usability is difficult and every so often something slips through the net.
6. Lee Finlay
I think it's a shame that after the SoBigs, Nimdas and so on, that people still open untrusted emails and attachments. Get a clue people! The world does not want to be your friend. Stop opening dodgy emails.
Anti-virus, firewalls, etc are part of the soloution, but I think teaching people the importance of "using your eyes first" instead of blindly clicking on emails and attachments.
7. Howard Winfield
You can have all the sophisticated software in the world but if people are willing to accept and then open e-mail with jibberish or no text at all in the body of the message then you you will never stop these events. I use anti spam software to intercept all incoming e-mail and check it before it gets on to my system. Anything with an attachment is deleted if I cannot be certain of it's origin.
I have also stopped bouncing this type of mail as the endless auto responder replies it generates is worse than the problem itself.
Needless to say, I also have fully up to date AV software running on the system to intercept anything that does get through.
8. Edith Reyntiens
How can we recognise this virus?
9. anonymous
It is not that people do not have antivirus software, it is that antivirus software often only updates itself once a week. This causes people to be unprotected for enough time to allow the virus to take hold. Antivirus software is giving a false sense of security to email users.
10. Angus Doyle
We have clocked up more than 10,000 hits since Monday evening of this virus, and I am proud to say that the only collateral damage was things got a little slower. Not a single desktop was comprimised.
Setup
PIX Firewal -> Servgate Running NAI Anti-Virus -> Win200 Server -> POP3 Smart Relay -> Sophos Anti-Virus -> Back up Norton inCase Sophos Missed it. All Anti-Virus Scheduled Updates every hour.
It pays to be protected.
11. Ian Crighton
I have received over 80 copies of the virus so far. It seems to be guessing the name of the recipients and ending up in our catch all email address. All emails received so far are to non existant actual email addresses
12. Peter Simons
Have anyone heard of any reports that the volume of virus emails had disrupted email traffic sending or receiving ? Some recipients of our email newsire broadcast report not having received it.
13. anonymous
Just to ditto a previous reply, we spend large amounts each year on our anti-virus licences from a very weel known antivirus vendor, only to get weekly updates. Maybe if a certain Antivirus vendor could speed up their act a little, these viruses would not get a foothold in the 1st place !!
14. Richard Ash
> Edith Reyntiens
> How can we recognise this virus?
It's a mesage with a generic zip file (body.zip, text.zip, etc, etc) attached to it. Often the body, and sometimes the subject is blank. The other common text says that the message cannot be displayed in 7-bit ascii and is included as a binary attachment. The subject is very generic (test, hello, etc.)
A large number of the emails are are full of extended charcter set charcters, with no readable text at all.
In any case, the payload is the zip file which contains the virus.
15. Gordon Leed
I use a free anti virus which warned me immediately I had this thing ... it comes in more than the seven names mentioned in these pages .. other ones alsdo exist as I have found to my cost. I have had this thing attack me from almost every country in the world and it has also come as a virus warning from an unheard of server.
however I check all my mail on the remote server before downloading it . So am now cpmpletely safe ..( I hope!!) Yahoo and Norton missed it in the first place .. I had to go through a large number of files to remove this thing and its programmig form my system. Surrently I am sending and receiving mails only by remote server and also, Incidentally I have not yet had a singler attack on my Yandex Russian mail server. Only on Yahoo ..my web site is hosted by a Russian comany ..no attacks there either SO Microsoft, I think must share some repsponsibiltiy for being so easily contaminated in my opinion
16. Tristan Wogan
Why do people rely on anti virus software. Treat this software as a safty net not as a catch all. Staff awareness is by far the most powerful tool you have. I keep all users up to date with the latest information and keep enforceing the messsage that emails are a danger. In the two years since I introduced this policy we have not had any problems with virus infections. Anybody who opens a suspect email whether or not it is infected has me coming down on them like a ton of bricks. (Company directors included)
17. anonymous
I still think that maybe the ISP's can do something about this, I for one would be happy to pay a monthly fee to have virus free e mail. It could also stop these things from spreading so fast in the first place!!!
Still have Virus protection on the network though!
18. Simon Brown
Further to Chad Kitching comment, I'm writing not because I am having issues with infections of the Virus, but because the Virus is being spread using my domain name, amongst others, which gives a bad impression for my company. When the virus never even came near my company, but instead has been spoofed by yet another computer that is not patched / configured correctly on the Internet.
There is a computer with IP Address 212.159.23.209 (part of the range allovated to PlusNet ISP) pretending to be many different domains, sending virus infected emails using domain names that it has no right in Using. I only know about it when they are bounced, and come back to me!!! However on looking at the header I can see that they have originated from the above IP which in fact is the same IP as "all" of the other virus infected email that come my way, before being detected and removed.
I have emailed and phone the ISP in question, but they are taking their time in resolving the issue.
19. Simon Brown
YES ISPs could DO MORE
I'm writing not because I am having issues with infections of the Virus, but because the Virus is being spread using my domain name, amongst others, which gives a bad impression for my company. When the virus never even came near my company, but instead has been spoofed by yet another computer that is not patched / configured correctly on the Internet.
There is a computer with IP Address 212.159.23.209 pretending to be many different domains, sending virus infected emails using domain names that it has no right in Using. I only know about it when they are bounced, and come back to me!!!
However on looking at the header I can see that they have originated from the above IP which in fact is the same IP as "all" of the other virus infected email that come my way, before being detected and removed.
20. Stephen J. Bolin
I like being on my Mac.
Secure UNIX base with little or no viruses.
Sorry to brag.
21. Phil Wilson
Lets stop blaming Microsoft, the antivirus companies, and the virus authors, and start looking at our own security practices. If a restaurant gives its clientele food poisioning, we don't blame the nasty bugs. We give the restaurant the chance to clean up their act, and shut them down if they cannot or will not. Surely it's now time that we forced organisations to accept responsibility for the health of their Internet connected networks, or suffer the consequences!
22. David Hoyle
You can't blame folk for opening email they aren't expecting.
How many times have you had someone on the phone to say they are sending you an attachment. That would be very inefficient if we all had to announce to folk we're sending them an email before we do.
And besides it's human nature to be curious. You ever touched a wall which had a sign saying "wet paint" just to see if it was dry.
Thought you might (",)
23. Ken Burwood
I think some blame has to go on users (at least some of them). I live with two roommates; I have my own computer and another roommate has one, which the third is allowed to use. I'm in charge of security for both my computer and my friend's, however.
The third roommate not only doesn't care about security, but purposefully ignores it, thinking it doesn't matter, even when I explain the reasons for it. He does see the need for AV software, but thinks that’s where the need ends. This roommate has made remarks to the affect that I have to be only a handful of people in the whole city that uses firewalls for the computers and that I'm being ridiculous for insisting on it (and he's serious--he really thinks that's true). He asked what I'm trying to hide from hackers. I told him hacking isn't the only threat and explain the reasons, even pointing out the well-known instances from last summer where firewalls would have helped. His response is always "You're the 'professional'", with obvious tones of disbelief in his voice. Yes, I am the professional, but he still won't listen to reason--he'd even asked me to take off the firewall from my friend's computer, because he thought it might be faster without it... I, of course, refused with my friend's complete support (my friend at least understands the need, though she relies on me for the tech know-how).
I don’t believe you can blame the AV companies. They do their best to keep their software and definitions up to date. But, just as they’re always researching, so are the virus makers. The weak link will always be the uneducated, or, as the case above, the unwilling end-users. Luckily, I believe at least the majority of people are educatable, it’s just a matter of teaching them. Years ago I didn’t have AV software for a good stretch of time because I couldn’t afford it. However, I never got a virus once, though I know I’d had them sent to me. I simply knew what to look for, never opened any attachments that were suspicious and made sure security settings were in place (like no auto-opening of e-mails to protect from script viruses). That’s what educating a user can do.
24. John Tucker
Clueless!!
GPL activists tend to be expert Windows programmers do they? Not only that, but they are interested in creating huge MS zombie.nets that will come in handy for spammers and extortionists (the virus opens a number of ports on infected Windows machines, which enable a remote user to control the PC)? And they operate out of Russia?
Hmmmm.
On the other hand, it could be the work of someone who either just doesn't care about the criminal activity they are enabling, or sees it as a positive bonus (because the more kiddies get involved, the more work the Feds get, and the less time they have to focus on the mafia that commissions the zombiewares for the purposes of extortion, and blackmail).
Sophos seems either deeply prejudiced against open-source (possibly for the sound business reason that GNU/Linux is demonstrably more virus resistant that MS Windows, and so in less need of Sophos' remedies) or just, well, clueless.
25. anonymous
As for the virus being around I have found that several fo my friends at UC Davis have been held accountable for the spreading of this virus and have had their internet connection shut down. They have recieved a formal letter of warning as to the documentation of this virus within their e-mail. Seeing as this virus has the ability to change at random should these students be held accountable? Feed back would be greatly welcomed.
26. anonymous
don angus doyle is god he thinks it to us it seems. I recommend would that you trust in your anti-virus programs, never trust the dept IT they just want power above the normol peeple, they wont to spy on us for no reesson, power not justified for they poor peeple they are. With no principled morals, they jest wont it all four them selfs. In spain we know dictatdors very well, and the IT depts are new dictadores.