Subscribe to Windows IT Pro
January 27, 2004 12:00 AM

New MyDoom Email Virus Spreads Quickly

Paul Thurrott
Windows IT Pro
InstantDoc ID #41567
Rating: (0)

   A new email virus called MyDoom is spreading rapidly across the Internet, bringing with it a dangerous attachment that, when opened, can give attackers access to users' computers through an electronic backdoor;. The attachment targets Windows users, which account for roughly 96 percent of all computer users, and the rate at which this virus is spreading matches that of SoBig.F, previously the fastest-spreading worm of all time. As with earlier email viruses, MyDoom doesn't spread by means of any technical chicanery, relying instead on the ignorance of users who double-click any messages they see in their Inboxes. Email users are thus advised not to open attachments from sources they can't verify.
   The sheer amount of traffic generated by the virus has already brought down many networks, and some security experts now believe that attackers originally launched the virus as a Denial of Service (DoS) attack on the SCO Group, the UNIX copyright holder that's now suing various Linux companies for copyright infringement. However, this attack is having the most dramatic effect on end users, many of whom are still surprisingly uninformed when it comes to the dangers of opening attachments. When users open MyDoom-tainted email attachments, their systems become infected--with two side effects. First, their systems send infected email to all the users in their address books. Second, the virus places a backdoor on their systems that attackers can later exploit.
   MyDoom email is identified by text in the body of the email that reads, "The message contains Unicode characters and has been sent as a binary attachment." The subject lines and attachment names vary. Typical subject lines on infected messages include "Mail Delivery System" and "Mail Transaction Failed." The attachments often appear as .zip files (e.g., document.zip, message.zip, readme.zip) but can have virtually any extension, including .exe, .cmd, or .pif.
   If you're using an antivirus package, make sure your definitions are up-to-date and follow the manufacturer's instructions for removing MyDoom (which is also identified as Novarg, Shimgapi, and W32/Mydoom.A@mm, depending on the source). F-Secure's Web site has a free disinfection tool for users who don't have antivirus packages.

Note: This article originally noted that the "MyDoom [wa]s spreading rapidly across the Internet" through "UNIX mail servers", which was incorrect. Instead, the virus was ultimately targeting SCO's UNIX servers with a Denial of Service (DoS) attack. My apologies for the condensation of thoughts, which resulted in an unintentional miswording. This is instant publishing, folks, not a grand conspiracy. --Paul

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Jeff Brendle
    8 years ago
    Feb 02, 2004

    Seems to me that your statement "spreading rapidly across the Internet through UNIX mail servers" is not correct. You later say that infected Windows hosts "send infected email to all the users in their address book" but you clearly are attempting to mis-place the blame by associating the "dangerous"-ness to UNIX but diverting people from the real source, users on Windows. This ought to be corrected.

  • Paul
    8 years ago
    Feb 02, 2004

    Explain yourself, sir. I understand that this is a .NET magazine, but how exactly is it responsible journalism to say that MyDoom is spreading "through UNIX mail servers"? Please describe in detail what findings you have to show that MyDoom discriminates as to which servers it will traverse the internet using. I would be delighted to understand this previously impossible feat, as would the vast majority of people running mail servers - people who have, based on reliability, flexibility and a reputation for security, chosen not to use the Windows-based alternative.

  • hehe
    8 years ago
    Feb 02, 2004

    "MyDoom is spreading rapidly across the Internet through UNIX mail servers"
    funny guy:)) microsoft mail servers is immune from viruses? how old are u?

  • Peter da Silva
    8 years ago
    Feb 02, 2004

    " Editor's note: As I've noted numerous times, that's correct. The attack originally targeted SCO's UNIX mail servers and spread from there. --Paul "

    You have that 100% backwards. The attack is aimed at SCO, but it didn't spread from, through, or with the aid of SCO's UNIX mail servers or any other. You're getting the victim mixed up with the assailant.

    And let's keep our eyes on the real problem: it's not UNIX or Windows... you can run servers and clients on any platform without producing an continual flood of email viruses and worms. The basic design of NT security is really quite good... if it wasn't for the continued poor "software hygiene" that results from Microsoft's merge of Windows Explorer with the HTML control and its Internet orientation, things like MyDoom would be occasional blips on the news instead of a monthly purgatory.

  • Peter da Silva
    8 years ago
    Feb 02, 2004

    You have to be kidding me. "through UNIX mail servers"? A properly configured mail server doesn't touch the contents of a mail message and whether it's running on UNIX, Windows, Netware, VMS, OS/2, a Palm Pilot, or a cage full of caffeinated hamsters has got nothing to do with the spread of this or any other virus.

    Or are you implying that UNIX is in such a dominant position in the Internet mail transport environment that any mail, good or bad, is predominantly sent through UNIX mail servers? That's likely enough true, but I don't think that's quite the spin you's want to see on it. :)

    If you want to lay blame for the spread of this and every other currently extant email virus, blame Microsoft's appalling decision to merge the OS and the Internet. The discretionary access control (orange book class C) provided by Windows NT and its successors is entirely inappropriate for an environment where you're operating primarily on untrusted data. The security model a web browser has to follow is mandatory access control (Orange book class B), and making one subsystem responsible for both forces security and convenience into an even greater conflict than they are at the best of times... and the "cross zone" exploits that so many viruses abuse are the inevitable result.

    When Microsoft announced this... my god, it's getting on for ten years ago now... I banned the use of any application using Microsoft's HTML control to access Internet-based resources: Outlook, Internet Explorer, and so on... and during this time the worst impact we've suffered from any of the big email viruses has been overstuffed mailboxes due to junk from partnersthat have been infected.

    I don't care what mail client you use, on what platform, except for one: if you use any variant of Outlook or Outlook Express, you're doing the online equivalent of running barefoot through a Hot Ward and snogging all the patients. And then... coming around to my door asking if I'd like to try out the new Ebola variant you've picked up. For the love of god, people, if you have any way to get away from Outlook, do it now.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.