Internet VIRUSES Warning message 27-Jul-04

MY DOOM VARIANT


Looks like yet another variation of the MyDoom virus (version MyDoom.M and MyDoom.O) are spreading again. Like all the other versions of MyDoom this one disguises itself as a bounced email or a corporate missive saying that "You may be infected with a virus". The attached file IS the virus. Some versions have .ZIP extensions (which can be opened) and some have .EXE extensions (which in a properly configured system cannot be opened).

The unusual thing about this version is that it actually has a smart engine that, once it discovers an email address in your address book, takes the @companyname.com part and does a Google, Yahoo, AltaVista or Lycos search for that company name and tries to find other email addresses using outside resources (instead of just your own address book). This allows the virus to more easily spread to others in companies that you have in your address book. It also means that even more people will eventually get a copy of the virus. As far as we know this is one of the first viruses to search on-line for additional email addresses to send infections to. If you're listed anywhere in those search engines you're likely to get a copy or three of this - even if you've been isolated in the past.

The virus submits so many searches in such a short time that it's (perhaps inadvertently) creating a Denial of Service attack on the search engines listed above, and potentially slowing down performance on other machines on the same internet segment or email server.

What should I do

Virus Signature updates today from both McAfee and Norton detect and purge this virus. Since it relies on you either opening an executable attachment or unzipping and running one, common sense pretty much will stop this bug in it's tracks. If you get an infection you can use antivirus vendor provided tools to remove it. Look on your network for high rates of usage when nothing else is going on - or significant slowdowns in network speed.

As usual be sure that you don't open attachments that you're not expecting, and keep your system patched and up to date. Be sure to run Antivirus software at all times and update daily. Filter email with .EXE extensions directly (IE Delete them unopened) and be careful about files with ZIP extensions to examine the contents of the zip file to be sure there aren't executable programs inside it.

Additional Resources

CNet News Article: http://news.com.com/MyDoom+variant+slams+mailboxes%2C+search+engines/2100-7349-5283940.html?part=dht&tag=ntop

Symantec Security Response: http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html  (includes a complete manual removal process)

McAfee: http://vil.nai.com/vil/content/v_127033.htm
McAfee Stinger removal tool: http://vil.nai.com/vil/stinger/

This concludes this viruswarning notice,

Cheers,

Lee Drake
Aztek Computer Solutions, Inc.
274 N. Goodman St Suite B269
Rochester, NY 14607
the human side of computing
Email: ldrake@azcomputer.net 
Web: www.azcomputer.net  Office Phone: 585-242-2060
Fax number: 585-242-9441