News

MyDoom Spreads Rapidly, but Corporate IT Well Prepared

• By Stephen Swoyer
• January 27, 2004

The new mass-mailing virus, also known as Worm_MiMail.R, first appeared in the wild Monday afternoon, and has since proliferated at a furious pace. Anti-virus vendor Symantec Corp. reports that Novarg is already more active than the summer’s most notorious mass-mailer, SoBig.F.

“With SoBig, we saw 1,800 submissions in a single day,” said Oliver Friedrichs, a senior manager with Symantec Security Response, in a conference call Tuesday morning. Friedrichs said that Symantec had logged 2,500 Novarg submissions in just 18 hours, at a rate of about 150 per hour.

At the same time, Friedrichs said, only 9 percent of submissions were from corporate accounts.

There’s good reason for that, says Russ Cooper, editor of the NT Bugtraq listserve and surgeon general with security consultancy TruSecure. “Most [companies] are intercepting this stuff as it comes in [with spam gateways] or restricting access to attachments, or ideally doing both,” he says. “You can do one or both, but you can’t afford to do neither.”

Ray Zorz, a network administrator with an advocacy group based in the Southwest, reported a heavy load of Novarg-related e-mail traffic in the hours after the new mass-mailer first appeared. "Fortunately my Sybari Antigen AV software seems to be catching them, primarily because I filter out the various file extensions like .scr and .pif. So far I do not believe it's affecting my end users, and like all virus outbreaks, I just hope to weather the storm.”

Bryan Lucas, an Exchange administrator with Texas Christian University, says that neither Novarg or its predecessor, Bagle, Bagel or Beagle, have had much impact, if any, in his environment. “The Bagel/Beagle virus and this new Doom virus have been of very little impact to us. With so many viruses, we, like so many other businesses have had to harden our mail systems. It takes a pretty clever virus to get through,” he says.

Lucas says blocking common attachments is the difference between safely riding out or foundering in a mass-mailing storm. “Bagel, like this new MyDoom both depend on an executable file attachment. We block .exe's along with another 20-30 file extensions. That offers us a fair amount of protection until our anti-virus vendors release their definitions.”

Like other mass-mailers, Novarg infects a system by means of a malicious attachment, which appears as a .zip file – although there’ve been accounts that it also appears as a text file. Once it infects a system, Novarg typically copies itself into the Windows\System folder (as TASKMON.EXE), to the Windows Desktop (as Document.scr) and into a share folder associated with the Kazaa file-sharing service (activation_crack.scr). Novarg propagates by scanning local files, including HTML files and the databases associated with popular contact management software, for e-mail addresses.

In addition, Friedrichs reports, Novarg opens a back door on TCP ports 3127 through 3198. “[It] allows other people [to] come in and connect to an infected system,” he explains. “They can actually send programs and other files up to the infected system and have them execute, that exposes the infected system to further attacks, [because] anyone can come into one of these infected systems, install another Trojan or another program, and take control.”

A malicious attacker can also exploit the Novarg back door to relay spam. “There’s certain commands that this backdoor accepts, by issuing those commands, someone can cause the infected system to open up a network connection to any arbitrary host on any arbitrary port,” he says.

The virus also has a political motive. It is programmed to launch a denial-of-service attack against the SCO Group Inc., the company that mounted a full-on legal attack on Linux on intellectual property grounds. That DoS attack is scheduled to start Feb. 1 and run through Feb. 12.

Symantec and most other vendors issued virus updated definitions Monday night, although some are still working on Novarg clean-up tools. Virus experts say that while there’s certain to be some damage at the enterprise level from the latest mass-mailer – there is, after all, some lag time between when a virus first appears and anti-virus vendors issue updated virus definitions -- its impact can be minimized if administrators simply follow the best practice of restricting access to most if not all attachments, including .zip files and .txt files.

“I had an e-mail from one individual who says … that there are business reasons that you need executable attachments, which I just don’t accept, there’s no valid business reason anymore, especially when you take into account the damage that these [mass-mailers] can cause,” says TruSecure’s Cooper.

Cooper doubts that Novarg is a big problem in the enterprise, noting that it typically spreads by exploiting common first names – i.e., “John,” “Peter,” or “Mary” – appended to a destination domain name. “The reason that this thing is getting legs is possibly the result of … a machine that had previously been trojaned and was being used for spam production, and then gets this, and meanwhile it’s got a huge list of addresses that this can exploit,” he says.