|GuardDog Security | Urgent: Virus Alert: MyDoom
a True Viral Outbreak
26 January 2004
About the Virus
A new virus, MyDoom (also called Novarg by some vendors, Mimail.R by others), is erupting on the Internet right now. Network Associates received 19,500 copies of the virus from over 3,400 email addresses in a single hour Monday afternoon, an extremely high rate. MyDoom seems to have been launched today, around 1:00 PM Pacific Standard Time. The virus presents a well-worded message advising that its attachment was necessary because a technical error prevented normal email transmission, a more clever social-engineering ploy than the garden variety "Here, open this." Since this new virus carries a trojan, MyDoom might feel appropriately named to its victims.
A MyDoom e-mail spoofs its sender so that it appears to come from one of your friends, contacts, or a credible institutions such as a bank or phone company. The Subject is randomized. So far we've seen the variations below:
Mail Delivery System
Mail Transaction Failed
MyDoom is so new that the anti-virus vendors have not compiled their list of variations at the time of this writing. There may be other Subjects we haven't listed. MyDoom's body is also random. So far we know of these three variations:
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
We believe those credible bodies partly contribute to MyDoom's suceess. They certainly sound like legitimate errors and lead one to believe that the attached file could be the message that your e-mail client can't display. Don't fall for it!
MyDoom uses random attachments that try to look like documents. It uses the following extensions:
.zip <-- (The zip file contains an executable that looks like a document; e.g., doc.txt [lots of spaces] .exe)
Although details are still developing, MyDoom starts like most viruses. If one of your users runs the virus' attachment, it starts by copying itself to his computer and adding registry entries to ensure that it can restart if your user reboots. It also harvests e-mail addresses from a number of different file types and sends itself to others.
According to the latest breaking news, MyDoom also seems to spread through the popular Kazaa P2P, file-sharing application. Other reports indicate MyDoom is engineered to target SCO for a Denial of Service attack.
Finally, MyDoom installs a backdoor by opening a connection on TCP port 3127. This could allow the virus author access to control an infected machine.
This virus has spread so fast that the anti-virus vendors are still researching it. MyDoom's code is encrypted so it may take awhile for the vendors to assess its true scope. We recommend you intermitently check McAfee's alert for the latest developments.
What you can do
As always, remind your users never to open unexpected attachments from any source.
Most major anti-virus vendors already have signatures that detect MyDoom. Check with your vendor for the latest update. If there is no MyDoom update, search on variant names Novarg, Shimg, or Mimail.R, which are terms for the same virus.
Firebox II / III owners should contact GuardDog MSS to tweak the SMTP proxy if enabled.
Suggestions for GuardDog SOHO users
If you have a SOHO, your best bet to stop this worm is to get new virus definitions from your vendor. Don't open e-mail attachments unless they contain material you requested or expect. Scan e-mail attachments with your anti-virus software, and open them only if they are proven clean.
Suggestions for GuardDog Corporate users
MyDoom uses many attachment types. The Firebox II and III's SMTP Proxy blocks most of MyDoom's attachments by default. However, if not requested to have been enabled, it doesn't block ZIP files by default. Contact GuardDog MSS if you host your own email server and whould like to verify this is inplace for you.
McAfee description of MyDoom
Symantec description of Novarg