last updated: february 22, 2004
news flash: sco group inc. web site shut
down by win32.mydoom.a ddos attack performed by 500,000 to 1 million infected computers
worldwide. the attack was expected to last from february 1 to 12, 2004.
the website is still down, however, due to win32.mydoom.e, a relatively new worm which also
targets the sco group inc. web site. this attack will not subside until the worm's spread is severely diminished.
|
on some occasions, harmless, corrupt mydoom samples might still be detected
by some anti-virus products. these samples are not dangerous but can still cause undue concern.
esafe gateway and mail users can find instructions on how to eliminate corrupt mydoom emails
here
in january 2004, a brutal new worm and its variant started spreading throughout the world with staggering
propagation rates, posing a high security risk and impacting worldwide it resources.
it all began on the evening of january 26, 2004 with
win32.mydoom.a
and continued to its
variants
win32.mydoom.b,
win32.doomjuice,
win32.mydoom.e
and
win32.mydoom.f
with more variants expected to spring in the near future. while the original worm is
classified as an outbreak, its variants are not as widespread. however, statistics show
they may yet rise to the levels of its original and may even surpass them.
|
mydoom statistics
$3,000,000,000
the estimated financial damage by mydoom in the first 48 hours.
$10,000,000,000
the estimated expected total financial damage by mydoom.
$1,000,000,000
the estimated daily financial damage by mydoom until it is eradicated.
1,000,000
the estimated number of computers infected with mydoom worldwide.
10,000
the estimated number of companies infected with mydoom worldwide.
100,000,000 emails in 36 hours
the estimated amount of emails generated by infected computers in the first 36 hours.
40% more email
the number of global email increase caused by infected computers during the outbreak.
30% more internet traffic
estimated growth in total internet traffic during the outbreak.
12 days
from february 1 to 12 it is expected that the web site of sco group inc. will be unavailable due to
the win32.mydoom.a ddos.
|
what are the mydoom vandals?
the mydoom vandals are mass mailing worms that cause a massive amount of emails to be sent from infected
machines and strain mail servers around the world. the less obvious malicious activity opens backdoors on
infected machines which may allow remote hackers to gain full access to them, or turn them into proxy servers
for a multitude of illegal activities. the variants also perform a denial of service (dos) attack on specific
websites.
why are they spreading so fast?
mydoom will send itself to a large list of recipients and may spoof the sender's information to appear as if
they were sent from someone the recipient knows. when the worm is received, it may appear as a confusing, but
legitimate email delivery error message. the message body states that there was an error ? usually related to
encoding issues ? in an encoding format that is familiar to many email users. the attachment appears to be a
legitimate report by the mail server and on some occasions the icon representing the file may seem to be a text
file. this is a clever method of social engineering. by using a message format that is familiar to most mail
users, the worm eliminates suspicions that the recipient might have.
mydoom spoofs the sender's address and may appear as a legitimate email delivery error message with an
attached text file.
don't be tempted to double-click the attachment! |
in order to spread, mydoom uses its own smtp engine to send emails directly, without the need for an email client
application such as outlook or outlook express. it starts by searching for mail relay servers out of a list of
addresses that are hard coded into the worm. if they are unavailable for some reason, the worm uses sophisticated
methods to gather network information from the infected system in order to obtain domain names and corresponding
mail servers (also known as mx or mail exchange servers), and attempt to relay mail through them.
the doomjuice variant operates differently. it only spreads on systems already infected with the mydoom vandal
by accessing tcp port 3127. this port is open when the system is infected with some variants of the mydoom worm.
what are the dangers?
- activity: the win32.mydoom variants launch a denial of service (dos) attack against several
websites.
danger: an attack of this kind, coming from numerous sources, can temporarily take down the attacked
websites. it may also take up all of the infected system's bandwidth and resources.
- activity: the vandals open tcp ports for listening.
danger: this is a backdoor. the system allows access to hackers. any unauthorized person can
manipulate files, steal sensitive information and even completely take over a computer.
- activity: all variants spoof (or forge) the sender's address.
danger: inability to validate the sender's identity. therefore, a user of an infected machine will
not have any indications of infection. others will be blamed for sending the worm.
how does esafe protect you?
esafe products offer full, multi-layered protection against the mydoom variants. an infected message received
by e-mail will have its attachment removed by esafe. a network protected by esafe will not let the worm open
ports, thus making it impossible for hackers to gain illegal access to the system and to the information held
within.
on some rare occasions, non-esafe anti-virus products installed in an organization may detect mydoom in an email
message, even though this message was inspected and cleaned by esafe. this happens because the anti-virus
product detects harmless 'leftovers' that are not actual files but parts of the e-mail itself. there is no cause
for alarm, however, if you have any doubts you can submit these samples to the esafe csrt for inspection.
where can i find more information about the mydoom vandals?
additional information can be found on the csrt website:
win32.mydoom.a
win32.mydoom.b
win32.doomjuice
win32.mydoom.e
win32.mydoom.f
microsoft recently released a utility that cleans systems infected by the mydoom worm (most current versions).
the cleaner and additional information are available
here.
from past experience, we expect a decrease in these worms' spread due to the extensive media coverage they
received. following are articles reporting this latest outbreak and providing some additional insights into
the matter:
mydoom overtakes sobig.f as worst virus
university combats latest global computer virus outbreak
schumer warns of email virus
back to esafe content security resource center
|