Tricky computer virus causes global epidemic
14:10 27 January 04
NewScientist.com news service
A computer virus disguised as a text file attached to a technical email has spread to thousands of computer systems worldwide since appearing on Monday.
The speed of its spread makes the virus - variously dubbed MyDoom, Novarg and MiMail.R - one of the fastest moving ever seen. UK-based email filtering firm MessageLabs says it saw 1.2 million copies pass through its systems between 1300 GMT Monday and 0900 GMT on Tuesday.
The deluge of extra email created by the virus caused disruption to some parts of the internet on Monday evening, according to US internet monitoring firm Keynote Systems.
MyDoom arrives in the guise of a text file attached to an email alert. The mail contains one of a number of messages encouraging the user to open the attachment. One says: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." Another warns: "Mail transaction failed. Partial message is available."
Experts say even computer users who are wary of opening suspicious attachments may have been duped by the technical packaging of the virus.
"MyDoom is unlike many other mass-mailing worms we have seen in the past," says Graham Cluley, at UK anti-virus company Sophos. "It does not try to seduce users into opening the attachment by offering sexy pictures of celebrities or private messages."
Arsenal of tricks
Opening the attachment runs the viral program, unleashing its arsenal of tricks. First it emails itself to all the addresses in the victim's address book, either as the fake text file or a compressed zip file. The latter may be an effort to evade corporate email filters that block executable files.
It also attempts to spread via the popular file-sharing network Kazaa, if this installed on the victim's machine. The virus copies itself to the Kazaa directory disguised as a copy of a popular computer application, such as Microsoft's Office. Any computer user downloading the file and running it would become infected.
Aside from attempts to spread itself, the virus places a hidden program on infected machines that would allow a malicious hacker to control the computer remotely. The hidden program is also set to launch an attack against the web site belonging to US computer company SCO on 1 February. Thousands of infected computers working in unison could overload the site and make it inaccessible to web browsers.
SCO has incurred the anger of computer enthusiasts who support the free operating system Linux by alleging that important Linux system code is covered by its copyrights. SCO has demanded royalties from both companies and individuals using the community-developed operating system.
The final trick deployed by the virus is a key-logging program. This records a user's keyboard strokes and could be used to harvest passwords and credit card information.
Subscribe to New Scientist for more news and features
Related Stories
Bagle computer worm may be first of many
20 January 2004
Web service to pre-empt 'phishing' scams
5 January 2004
Virus deploys sinister trick against anti-spammers
3 December 2003
For more related stories
search the print edition Archive
Weblinks
MyDoom, Symantec
MessageLabs
Sophos
SCO
Response time
Keynote Systems, which monitors the performance of the internet, reported that the surge of email churned out by MyDoom caused response times for numerous high profile web sites to rise from two to four seconds on Monday evening.
As the clean-up continues, anti-virus companies have also begun trying to trace the outbreak. MessageLabs says the first infected mail to come through its network originated from Russia.
MyDoom was not the only virus to harass computer users on Monday. Another one, called Dumaru, was seen spreading with more limited success. This virus also installs a covert program, which searches for PayPal or e-Gold account information and transmits this information back to its creator.
Will Knight
