Return of the
Mydoom Worm-
The "F" is not for "Friendly"...
THIS ONE IS FOR REAL.
2/25/04
Update on the Mydoom.F Worm:
There is a new variant of the Mydoom virus, known as "Mydoom.F".
This variant, unlike earlier versions, is DESTRUCTIVE
to files and will cause a significant loss of data for infected
individuals.
InoculateIT and Etrust Anti-Virus
users, take note:
Users who have InoculateIT and Computer Associate's ETrust Anti-Virus should have a high degree of protection from this virus. Protection for this worm is included in the most recent updates, and your systems should be safe from infection. No action should be required as your systems should be protected. However, note that the "Realtime Monitor" for the software should
be on the default setting of "Monitor both directions"
to be most effective- If the display in the Taskbar shows a Red
Circle and Line through the blue box of the Realtime Monitor,
something is wrong and your virus protection is not active. (Ditto
if the blue box is not shown at all in the Taskbar.)
Deletes Files:
One of the characteristics of the Mydoom.F virus is that it
will randomly delete files with the following extensions from
the boot hard drive of an infected system. The file extensions
that are attacked include:
"mdb", "doc", "xls", "sav",
"jpg", "avi", "bmp"
In other words, MS Access databases, Word documents, Excel
Documents, SAV files (backup files, or program settings, or GAME
scores), Camera Photos, AVI movies, and Windows bitmap images.
By Randomly, you can accept that this means "nearly all"
of them. The probability table of deletions is as follows:
.mdb - 98% , .doc - 40% , .xls - 60% , .sav - 95% , .jpg - 8%
, .avi - 10% , .bmp - 15%. (Statistics courtesy of Symantec's
web site.)
Our experience was that nearly all of these files are missing
after an infestation.
The Mydoom.F virus will also distribute itself everywhere in
an infected computer. A recently cleaned computer had over 3000
copies of the virus on the hard disk. This can be something of
a challenge to remove.
In addition, it attacks anti-virus products from Symantec (Norton
Anti-Virus) and Network Associates (McAfee). Users of these products
that have not been updated recently may find themselves with
no anti-virus at all. (Note that anti-virus software that does
not automatically check for updates on a DAILY basis is the illusion
of protection- perhaps worse than no protection at all.)
This software does other things besides- Sends out many copies
of itself, creates it's own address book, attacks Microsoft (and
riaa.com, the recording industry website which is now almost
not reachable…), opens up a back door that other viruses
apparently use to create more mayhem- the now-all-too-common
laundry list of disasters that accompany these afflictions.
The last infestations of the
Mydoom worm were quite dramatic, but the program did not delete
files. THIS TIME IT DOES. The penalty for being infected
is now much higher.
Better Email Messages: The Email messages sent by the worm
are more clever than before. It is, apparently, somewhat easier
for people to be confused into thinking that these are legitimate
attachments. Messages sent by the worm are disguised as all manner
of communications. DO NOT OPEN STRANGE ATTACHMENTS.
All Users: Please be careful NOT TO RUN STRANGE
ATTACHMENTS as this can release a virus. The attachment may be
of different types, all "executable" program extensions-
.bat, .com,.exe,.scr, or .pif. The attachment will have many
different names. The extension at the END of the attachment may
be separated by as many as 100 spaces- so you will "see"
a file called, for example, "pictures.jpeg", when the
actual name is "pictures.jpeg (100 Spaces).exe"
- An executable file that will release the virus.
Again, use common sense when something strange appears in your
email. (Note that InoculateIT Anti-virus users should find virus
attachments impossible to run, in any case.)
For More Information
on the Mydoom.F Variant See:
Computer Associates
http://www3.ca.com/virusinfo/virus.aspx?ID=38355
Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.f@mm.html
Symantec offers a free Removal Tool at:
http://securityresponse.symantec.com/avcenter/venc/data/
w32.mydoom@mm.removal.tool.html
McAfee (Network Associates):
http://us.mcafee.com/virusInfo/default.asp?id=helpCenter&hcName=mydoom_f
F-Secure:
http://www.f-secure.com/v-descs/mydoom_f.shtml
F-Secure has a free "disinfection" Removal Tool
at:
ftp://ftp.f-secure.com/anti-virus/tools/f-mydoomf.zip
1/28/04 Update on the Mydoom
Worm:
This update is required
for two reasons:
1) Email systems around the world are having difficulty with
the volume of Email that the Worm is generating. Emails are being
lost, communication between Email systems is failing, and the
reliability of business Email is now in question. DON'T ASSUME
YOUR EMAILS WILL BE RECEIVED, at least until the problems caused
by this infection have eased. (This may be in days- or even weeks….)
2) Messages sent by the worm are of many different types- They
are disguised as all manner of communications. DO NOT OPEN STRANGE
ATTACHMENTS.
3) The majority of the mail we have been receiving lately is
the Mydoom worm. We have never seen anything as prolific as this.
The Internet community may be suffering from this bug for quite
a while.
Below is our
original report on the Mydoom worm. Please note the caution above
that the worm is disguising the attachments in all manner of
communications- As invoices, as requests for info, as inter-company
communications (between made-up names). It is very clever!
The worm's attachments themselves still seem
to be .bat, .com,.exe,.scr, or .pif, but some of these are also
packed inside .ZIP files! These zip files are often not checked
by virus prevention systems, so this may be a way to slip a worm
past some antivirus software.
The sheer volume of Mydoom worm messages that
we are receiving is astounding. This is a significant problem,
both for individuals and the Internet as a whole. This sort
of attack is going to demand a response from the Internet itself.
Tired of Viruses?
So are we. End the problem.
Please see our proposal:
Whole Office
Anti-Virus Protection
And see our information on:
Virus Defense Suggestions
Need a Free
Anti-Virus Solution?
ORIGINAL Mydoom Notice:
As many may have heard, there is a new Email worm that is spreading.
It is called "Mydoom", although Symantec (Norton Anti-Virus)
calls it "Novarg".
This program disguises itself as an "Email Error Message"
such as the one below that we received:
From: Mail Delivery
System <Mailer-Daemon@proxy.steigenberger.de>
To: kurt@softprose.com
Subject: Mail delivery failed: returning message to sender
There is an
Attachment to this message; running the attachment activates
the worm.
ALSO: Kazaa "music sharing"
software will carry this worm! Users who have exposed "shares"
for Kazaa sharing may become infected automatically. (Please
consider if Kazaa is worth the risk.)
To all users of InoculateIT Anti-Virus: The
signature for this worm is included in the most recent automatic
updates, and your systems should be safe from infection. Users
of other antivirus products (Norton, McAfee) should confirm that
their signature files are current and up to date.
All users: Please be careful NOT TO RUN THE
ATTACHMENT that comes with this fake returned message, as this
releases the Worm. The attachment may be of different types,
all "executable" program extensions- .bat, .com,.exe,.scr,
or .pif. The attachment will have many different names.
Again, use common sense when something strange
appears in your email. Don't run strange attachments! (Note that
InoculateIT Anti-virus users should find this attachment impossible
to run, in any case.)
For more details on the original Mydoom Worm, see:
Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=38102
McAfee: http://us.mcafee.com/virusInfo/default.asp?id=mydoom
Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html
Last Modified on: 2/25/2004 |
|
|
