New Mydoom variant carries dangerous payload (DDoS targets MS, RIAA, also DESTROYS DATA!!!)

SearchSecurity.com ^ | 25 Feb 2004 | Edward Hurley, News Writer

[cc2k]

New Mydoom variant carries dangerous payload
By Edward Hurley, News Writer 25 Feb 2004 | SearchSecurity.com

Yet another Mydoom worm has hit but instead of targeting Linux-foe The SCO Group, the new variant targets Web sites of eternal whipping boy Microsoft and song-swapper foe Recording Industry Association of America.

Functionally, Mydoom-F is very similar to Mydoom-A. So much so that experts think the creator of the variant used the source code of Mydoom-A to create it. Mydoom-B dropped the source code of Mydoom-A when it was spreading so the code is generally available.

Mydoom-F does something different than its predecessors. The worm randomly deletes files such as documents, Excel spreadsheets and pictures. This is the first time in recent memory that a worm has been so outright destructive.

"It's not nearly as widespread as Mydoom-A but it's of more concern to end users as it's so destructive," said Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp.

Hypponen recommends users turn their machines off if they suspect they are infected as the worm runs a loop deleting files each time. "If you leave it on overnight, then it will destroy all your files," he said.

The worm looks for files to delete when it's searching the drives on infected machines for e-mail addresses to harvest. It then sends itself to the culled addresses using its SMTP engine. Mydoom-F doesn't send messages to certain e-mail domains such as those for government, military and antivirus companies.

Like earlier Mydoom worms, Mydoom-F uses a series of subject lines and body text. The subject line of messages carrying the worm can be everything from blank to "Read it immediately" to "undeliverable message." The message can say things such as "Greetings" or "Read the details."

When opened, the worm copies itself to the Windows System directory with a random file name. It also tries to shut down file processes of common antivirus products.

The worm opens up TCP port 1080 on infected machines, which can allow the worm's creator to communicate with machines. It also opens of a range of ports from 3000 to 5000.

Mydoom-F also does a distributed denial of service attack on www.microsoft.com and www.riaa.com if the system clock is between the 17th and 22nd of the month. However, Mydoom-F doesn't seem to have spread enough to perform a major enough attack to affect Microsoft or the RIAA, Hypponen said.

In other malicious code news, some companies are seeing Netsky-B, which first surfaced last week, pick up some speed. "I think it shows that some people are not keeping their antivirus software up to date," said Graham Cluley, senior technology consultant with U.K.-based Sophos PLC.

Cluley downplays reports of a new ICQ IM worm, Bizex. The worm uses ICQ to entice users to a Web site that exploits a vulnerability in Internet Explorer to drop a Trojan on targeted machines. "The Web site has been taken down, so we don't expect to see any more machines infected by it," he said.

[cc2k]

Most AV vendors have updated their definitions in the past day or two (Feb 23 or Feb 24) to catch this.

Check Symantec's Security Respons Center W32.Mydoom.F@mm page for all the details about this one.

[SamAdams76]

Our IT department caught this yesterday. A fix is already in place. I was getting e-mail with titles like "You have one day left" and "Please open immediately."

The attachments were zip files with about 34K. I immediately deleted them without opening them up.

[EggsAckley]

Every time I read one of these articles I end up feeling really stupid. What does this mean to us "techno-ninnies" who just know how to run the computer, not what makes it run?

[boxerblues]

It means don't open any email from people you don't know, dont open any attachment that you did not ask to receive, and above it all please keep your virus dat files up to date. :)

[AppyPappy]

And when someone says "You sent me a virus", that doesn't mean it is true.

[reagan_fanatic]

Exactly. Most of these problems could be avoided if people would stop for a minute and examine the e-mail first before they open up any attachments.

IF YOU ARE UNSURE, DELETE IT!

[steplock]

It goes after RIAA??

It's kinda hard to be against such a good Public Service!

How about the IRS?

[EggsAckley]

I use earthlinks spamblocker and have been receiving a lot of "undeliverable" stuff. No, I DON'T open anything I don't know about, and I don't open attachments. And yes, I do have a number of virus detection systems and a firewall. So I guess there's not much more I can do.

Thanks.

[Nick Danger]

Mydoom-B dropped the source code of Mydoom-A when it was spreading so the code is generally available.

This is bad news. It means that every script kiddie out there now has the tools to make something really nasty... like this thing.

[boxerblues]

The "undeliverable" mail you have been receiving is from someone else's machine that is infected, just delete it. We have been getting email here at work from our old domain name that has not been in use in 8 years, which is scary as the most of the names are of people who still work here, but we don't see the domain name until after its been opened.

[proxy_user]

I have always imagined a virus that, instead of deleting spreadsheets, just changed a few of the figures every once in a while. That would definitely drive the users nuts!

[proxy_user]

I have always imagined a virus that, instead of deleting spreadsheets, just changed a few of the figures every once in a while. That would definitely drive the users nuts!

[dfwgator]

I feel so left out, I never get these kinds of messages, I guess I'm just not popular enough. :(

[boxerblues]

Patience my good man lol they really are a pain even for those users who don't get the actual virus emails as they prevent wanted email from getting though and slows down every server out there and makes for some very cranky IT workers.

[cc2k]

I see some other good answers, but I'll post a little more info. Here's what you really need to do for your home Windows PC as far as viruses and worms go:

• Keep your antivirus signatures up to date (check daily for updates or subscribe to the vendor's update email list if they have one). If you use an automated update, check to be sure that it actually updates. There's usually a way to find out which signature file your AV software is using (often shown in the window displayed when you select the "About {this program}" choice on the "Help" menu. Compare the version or date of your signature with the date of the most current update available on the vendor's web site. Some "Auto Update" features only actually download updates weekly, even if you run them daily.
• Don't open emails from people you don't know. That can make it tough if you are "networking" on the internet with newsgroups or web boards or whatever. For those occassions, set up a separate email account on Hotmail or Yahoo Mail and let Hotmail or Yahoo worry about screening out the spam and viruses.
• Never open an attachement that you weren't expecting. Not even if it looks like it comes from someone you know and trust. If they didn't tell you they were sending it, or if you didn't ask for it, assume that there's something malicious about it. If you have any doubts, you can contact the person and ask them if they sent it to you and why.
• Make sure your email program is up to date. If you use Outlook or Outlook Express on a Windows computer, be sure to get the latest critical updates from http://windowsupdate.microsoft.com. For other email clients, check for security related updates and fixes with the product's support website.
• As AppyPappy said, if someone says you sent them a virus, it might not be you that sent it. Also, if you do get a virus, don't assume you know where it came from. If you want to trace it back, seek help from your ISP's technical support, and/or their abuse department, or from someone who is in the business of computer and email security.

  The reason for this is that it's somewhat difficult to tell exactly where the email came from. The "From:" address is most likely forged. Let's say that there are three people, Joe, Mary and Tom. Joe and Tom both send emails to Mary, and to each other. All of them have each other in their address books. If Mary gets one of these email worms, it's possible that Mary's computer will send an email to Tom with a from address that says "From: Joe" and a copy of the worm in an attachment. Tom might think that Joe sent him the worm, but it's really Mary that has the worm and is spreading it. It's really hard to tell who sent it to you, and to find out, you have to look into the "full SMTP headers" and do some major tracing of the information in those headers.

Someone (I wish I could remember who) posted a good list of everything (nearly) you really should do if you use Windows on a computer that is attached to the Internet. It included links to good firewall software, good anti-spyware and other good security software and information. I'll try to find that post and put a link on this thread for you.

[boxerblues]

Get Zone Alarm for a firewall, Spybot search & destroy removes spyware, and there was another one that was listed something about mail washer, I've never used that one but some swear by it.

[FourtySeven]

Here's a question for you techies:

Can one get a virus from simply "opening" an e-mail? I realize that's what's said in this article, but what do they define as "opening"?

Do they mean opening an attachment, or just opening the e-mail?

Do they mean that opening ANY e-mail can spread a virus, or opening an e-mail delivered by an e-mail CLIENT, like Outlook, or Outlook Express? In other words, if I use only web based mail, can I still get a virus from simply OPENING the e-mail on the website, like Hotmail or Yahoo, or is that "impossible"?

(I realize nothing's technically impossible when it comes to computers and viruses, however, I mean about as improbable as winning the Mega Millions lottery)

Thanks

[boxerblues]

99% of the time the answer would be no, you would have to open the attachment, but its better to be safe than sorry and simply delete unknown senders mail. Most internet emails i.e yahoo, sbc do a pretty good job of blocking out these emails

[FourtySeven]

Don't open emails from people you don't know. That can make it tough if you are "networking" on the internet with newsgroups or web boards or whatever. For those occassions, set up a separate email account on Hotmail or Yahoo Mail and let Hotmail or Yahoo worry about screening out the spam and viruses.

Ok, this kind of answers my question. I mean, how safe are Hotmail and Yahoo? Asked another way, are Outlook and Outlook Express SO full of holes that even just switching to a web based e-mail will eliminate any viruses that can be spread by simply opening an e-mail?

If the answer to that is "yes", I honestly don't know why anyone bothers with e-mail clients anymore. (Unless you say to heck with it all and get a Mac, but that's a different argument).

[gonewt]