"MyDoom" virus and how to protect your computer from it
By Nowshade Kabir ©Rusbiz.com
Remember the Sobig viruses of last year that wreaked havoc and caused significant
financial damage to corporation world? Well, the first major virus of this year
has potential to beat those attacks easily.
What is MyDoom?
The new virus, which is actually a more virulent variation of “Mimail” virus,
is dubbed MyDoom by antivirus software maker Network Associates Inc. and "Novarg"
by rival Symantec Corp.
The virus, first detected around 4PM EST Monday January 26, 2004, immediately
started to create a mail storm through out the Internet. According to experts,
MyDoom virus is capable of generating up to 8 million infected e-mails in the
first 24 hours if it is not slowed down. This is twice as much as the amount
produced by the Sobig.F virus, which at its peak last year generated around
3.5 million e-mails on the third day of its outbreak.
Within one hour of its first attack Network Associates itself received 19,500
e-mails bearing the virus from 3,400 unique Internet addresses.
How does it work?
MyDoom spreads itself similarly as any other email-borne virus. Unsuspected
user after receiving infected email activates the virus by opening the attached
file. As always the virus infiltrates only into Windows based PC. The attached
file can be of any of these extensions: ".exe," ".scr,"
".cmd" or ".pif".
Randomized subject line of the infected message can have the following texts
among others: Mail Delivery system, Test, Server report, Hello, etc.
The body of the email shows one of the several texts, such as: "The message
cannot be represented in 7-bit ASCII encoding and has been sent as a binary
attachment,"; "The message contains Unicode characters and has been
sent as a binary attachment."; and "Mail transaction failed. Partial
message is available." The idea here is to trick users into opening the
attachment. The opened attachment looks like a simple Notepad text file, which
most of the people believe to be safe and incapable of carrying viruses.
Once a computer gets contaminated with MyDoom, the virus along with the Trojan
embedded in it does the following things:
The virus resends itself using a built-in mailing program to e-mail addresses
from the address book of the infected computer. It is capable to send out 100
infected email messages in 30 seconds to addresses stored in the computer. It
also fakes the sender’s address and shows one of the e-mails randomly selected
from the computer's address book. So it appears that the virus came from someone
other than the person whose computer produced this email.
The virus also copies itself to the Kazaa download directory of the infected
computer, on which the file-sharing program is loaded. The virus camouflages
itself, using one of seven file names, including Winamp5, RootkitXP, Officecrack
and Nuke2004. Kazaa is a file sharing program widely used by teens to share
music among peers.
MyDoom also uses the domains of the emails addresses it finds in the infected
computer to make up numerous email addresses in an attempt to spread itself.
This tactic is commonly used by spammers and called “Dictionary Attack”.
Some experts claim that this virus also drops a file onto infected computer
systems, collecting sensitive data such as passwords, user names and credit
card information.
The infected e-mails are also programmed to start a denial of service attack
on SCO, the controversial software group which claims that important components
of the Linux open-source operating system violate its Unix copyrights. A Denial
of Service Attack means in an attempt to shut down a server, thousands of emails
are sent to one single address. The attack clogs the bandwidth and cripples
the whole mailing system of the company and forces them to either turn off the
server or change the domain name.
Finally, the virus also opens up communication ports of the infected computer,
allowing a hacker to manipulate the machine remotely.
One hack of a virus, isn’t it?
What to do?
If you take the following steps, your computer will be virtually safe from
any similar virus attacks:
- Get an Antivirus program and install it in your computer.
- Regularly update your Antivirus program.
- Get a firewall and install it. A great free firewall
that you can download and install is Zonealarm.
You can download it from http://www.zonelabs.com/store/content/home.jsp
- Regularly get patches for your version of Windows
and update.
- Use email filters similar to Eprompter. It gives
you the ability to delete unwanted spam or suspicious
looking mail, which might contain viruses. Get it
free from http://www.eprompter.com
- Scan your computer for viruses regularly. A great
free tool that scans your computer remotely for
viruses and eliminates them you can find at
http://housecall.trendmicro.com/housecall/start_corp.asp
No doubt that Microsoft has to do a better job to protect
us from this on going slaughter. However, until this
happens, Windows users have to be more vigilant and
do everything possible to protect their machines.
