New “Mydoom” Worm Launching a World-Wide Attack

F-Secure is warning email users around the world about a new Windows worm which is spreading rapidly. The new worm, known as Mydoom or Novarg, is spreading through email attachments and Kazaa file sharing networks.

The worm has launched a world-wide denial-of-service attack from every infected computer against the website of SCO, one of the largest Unix vendors in the world. However, the WWW.SCO.COM site seems to be still operational.

There’s been a lot of discussion about SCO after they claimed last December that the Linux operating system was violating SCO’s intellectual property rights in UNIX technology. “There are a lot of kids out there who feel like SCO’s attacking them”, comments Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. “Apparently someone of them decided that it’s ok attack back.”

In addition of the denial-of-service attack, the worm also opens up a backdoor to infected computers by listening to TCP port 3176. This way the worm author can gain access to infected computers afterwards.

The emails sent by the worm are fairly random:

From: random email address
To: address of the recipient
Subject: random words

Message body: (several different mail error messages, such as:)

Mail transaction failed. Partial message is available.

Attachment (with a textfile icon): random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension.

When a user clicks on the attachment, the worm will start Notepad, filled with random characters and it will immediately start to spread further.

Detailed technical description of the worm as well as screenshots are available in the F-Secure Virus Description Database.