New Worm Spreads, Threatens SCO

A malicious program spread quickly over the Internet Monday, slowing down network traffic and potentially leaving electronic back doors open on individual computers.

Known as MyDoom, Novarg and a variant of the Mimail worm, the infection usually appears as an e-mail error message. An attached executable file can send approximately 100 e-mail messages in 30 seconds. It also installs a program that allows a computer to be controlled remotely.

The worm has one other twist in its programming: It prepares infected PCs to send data to The SCO Group’s Web server, beginning February 1st.

Anatomy of a Worm

The worm arrives in an e-mail inbox with a variety of random subject lines, such as “Mail Delivery System,” “Test” or “Mail Transaction Failed.” The e-mail’s body bears the executable file and a message stating that the e-mail contains Unicode characters and has been sent as a binary attachment.

The worm began spreading at approximately noon Pacific time and affects computers running Windows versions 95, 98, ME, NT, 2000 and XP.

Symantec noted that the worm appears to contain a program that logs keystrokes from infected machines, which could be used to collect usernames and passwords. The company also discovered the code that would flood The SCO Group’s site. Although SCO’s site was slow to load Monday, it was still accessible.

SCO’s site has been targeted in the past year with denial-of-service attacks, but if Novarg affects the site, it will be the first time an attack on SCO has been initiated by malware.

Sickly Uncle Sam

The attack is a worldwide phenomenon, although Mikko Hypponen, director of antivirus research in F-Secure’s Helsinki, Finland, office, noted that the United States will be hardest hit.

He told the E-Commerce Times that the worm started in Eastern Europe, but time zones prevented it from being as large a threat there or in other parts of the world because of lower e-mail activity.

“It was the middle of the business day in the United States, but over here it was 11 p.m.,” he said. “By the time people got into work here, the updates had already zapped it. The same happened in Sydney and Tokyo. But in the U.S., because of the timing, it’s spreading.”

Quick Spread

Although MyDoom/Novarg has replicated quickly, antivirus responses have been reducing its impact at an equally rapid pace.

Robin Matlock, vice president of product marketing at Network Associates’ McAfee System Security Group, told the E-Commerce Times that having a wormspread this quickly is not surprising.

“Blaster went worldwide in three minutes,” she said, noting that the speed of that worm may have given antivirus researchers better protection against Novarg.

“We saw that technology had to be ahead of the hacker,” she said. “Human intervention wasn’t enough, because no one could be that fast. So, there’s been a great deal of technology development that was focused on addressing the sophistication of the hacker community.”

Speedy Response

Hypponen noted that most vendors have issued some type of update or patch. F-Secure has put a free update on its site that will cleanse a PC of Novarg. The effect of so much security has been quick containment, he said.

“Practically everyone is stopping this virus,” he added. “Hopefully, many of the machines will be clean before Sunday.”

However, until antiviral strategies have been employed globally, it will be difficult to predict how much damage has been done or what will happen to the SCO Group’s site.

“Everyone is working on this,” Hypponen said, “and SCO will also be doing quite a bit of work this week, I’m sure. But you’re talking about a lot of machines, and not all of them will be cleaned. So, how this plays out remains to be seen.”