MyDoom Spawns More Potent Variant
Use a computer? Then pay attention... unless you own a Mac
By Michelle Delio, Wired

A new, nastier variant of the MyDoom worm has been released and is beginning to spread across the Internet, according to antivirus experts.

Computers infected with MyDoom.B will launch a 12-day denial-of-service attack on Microsoft.com beginning Feb. 1. They will also launch a separate attack on the SCO Group's website on the same date, just as the original version of the worm is coded to do.

The worm's predecessor swept through inboxes earlier this week and was quickly dubbed the most virulent e-mail worm of all time by e-mail-filtering company MessageLabs.

Antivirus experts said they believe computers that are infected with MyDoom.A are probably being used to send out e-mails containing copies of the new variant. Infected computers have a backdoor in their systems that allows malicious hackers to remotely access and control infected machines.

"These infected computers may have received a command to send out copies of MyDoom.B. Therefore, the computer community may be facing a much more serious outbreak than the one caused by MyDoom.A on Tuesday," said Denis Zenkin, head of corporate communications for Kaspersky Labs, a Moscow-based antivirus firm.

More

Symantec's Critical Information on W32.Novarg.A@mm

• Symantec's Mydoom Removal Tool

A.K.A

• W32/Mydoom@MM [McAfee]
• WORM_MIMAIL.R [Trend]
• Win32.Mydoom.A [Computer Associates]
• W32/Mydoom-A [Sophos]
• I-Worm.Novarg [Kaspersky]

Computers Affected

Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
(goddamn microsoft!)

Does Not Affect

DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

Vitals

W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

In addition, the backdoor can download and execute arbitrary files.

The worm will perform a Denial of Service (DoS) starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004. These two events will only occur if the worm is run between or after those dates. While the worm will stop spreading on February 12, 2004, the backdoor component will continue to function after this date.

The Email Will Have the Following Characteristics

From: May be a spoofed from address
Subject: (one of the following)

• `test
• hi
• hello
• Mail Delivery System
• Mail Transaction Failed
• Server Report
• Status
• Error

Message: (one of the following)

• Mail transaction failed. Partial message is available.
• The message contains Unicode characters and has been sent as a binary attachment.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• test

Attachment: (one of the following)

• document
• readme
• doc
• text
• file
• data
• test
• message
• body

Notes:
The attachment may have two suffixes. If so, the first suffix will be one of the following:

• .htm
• .txt
• .doc

The worm will always end with one of the following suffixes:

• .pif
• .scr
• .exe
• .cmd
• .bat
• .zip (This is an actual .zip file that contains a copy of the worm, sharing the same file name as the .zip. For example, readme.zip can contain readme.exe.)

If the worm has an extension of .exe or .scr, the file will be displayed with the following icon; otherwise it will use the icon appropriate to the corresponding file type.

posted by awiggins | 07:19 PM