New e-mail worm breaks infection records
The Mydoom virus now accounts for one in every 12 e-mail messages
IDG News Service - A new computer virus that spreads using e-mail messages is breaking records for new infections that were set by the last major e-mail worm, Sobig.F, according to leading antivirus software companies and e-mail security firms.
Infected e-mail messages carrying the Mydoom virus, also known as Shimgapi and Novarg, have been intercepted from over 142 countries and now account for one in every 12 e-mail messages, according to Mark Sunner, chief technology officer at e-mail security company MessageLabs Ltd.
That surpasses the record set by the Sobig.F virus, which appeared last August and, at its peak, was found in one of every 17 messages intercepted by MessageLabs, he said.
Since first detecting the new virus at 1 p.m. GMT yesterday, MessageLabs has intercepted almost 1 million infected e-mail messages carrying the virus, Sunner said. The virus has "followed the sun," hitting hard in the U.S. and Canada late yesterday, then working its way through Asia and Europe today, he said.
F-Secure Corp. in Helsinki estimates that about 100,000 computers have been infected with Mydoom so far, said Mikko Hypponen, manager of antivirus research at F-Secure.
Antivirus experts expected another large wave of infections in the U.S. and Canada this morning, as workers who missed the virus late yesterday returned to their desks, he said.
The worm arrives as a file attachment in an e-mail with a variety of senders and subjects, such as "Hello" and "test." The message body is often technical-sounding, imitating the look and feel of an automatically generated message from an e-mail server, Sunner said.
For example, some of the e-mails have contained messages telling recipients that "the message contains unicode characters and has been sent as a binary attachment" or that "the message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." Users who click on the attachment, which uses a variety of file extensions, including .bat, .cmd, .exe, .pif, .scr and .zip, are infected with the virus.
The technical pitch is a new twist on so-called social engineering techniques used by virus writers to trick users into opening malicious file attachments. Mydoom's authors may have been counting on the fact that people trust the authenticity of computer-generated messages more than those purporting to come from other humans, Sunner said.
Mimicking the language of a computer-generated administrative message may have also helped Mydoom spread within large corporations, where employees are used to receiving such messages from administrative systems, according to David Perry, public education director at antivirus company Trend Micro Inc.
Trend Micro saw evidence yesterday of infections at 12 Fortune 100 companies, he said. Once inside such companies, Mydoom could use the enormous bandwidth of those corporate networks and huge e-mail address books as a springboard to the rest of the Internet, Perry said.
While Mydoom has shattered Sobig.F's records, in many ways the two viruses are the same, antivirus experts agreed.
Both viruses scan infected computers for e-mail addresses that are then targeted by infected e-mail. Also, both Sobig.F and Mydoom are small and contain highly efficient SMTP engines for sending out copies of themselves. The efficiency of their mail engines means that even a small number of infections can generate a massive amount of e-mail traffic, Hypponen said.
In addition, both Sobig.F and Mydoom contain a Trojan horse program that gives remote attackers full control of the infected system, he said.
In the case of Sobig.F, experts theorized that the virus was being used to assemble "zombie" networks of machines for distributing unsolicited commercial e-mail. A similar motive may be behind Mydoom, though the virus writer's intentions are not yet clear, said Perry.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Logicalis eBook: SAP HANA: The Need for Speed Without timely business insights, organizations today can suffer logistical, manufacturing, and even financial disaster in a matter of minutes
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Malware and Vulnerabilities White Papers | Webcasts