As of Monday morning a new and very aggressive email worm began infecting thousands of end-users and has caught the attention of many IT organizations. The new virus which currently is being dubbed either Novarg or MyDoom arrives as an attachment in an email from a randomized sender with various subject titles.
The worm is actually a variant on the Mimail virus, but has the distinction of being directed at the SCO Group. The infected machine is planted with an instruction to attack the SCO Groupâs web server on Feb 1.
The body of the email may contain a statement such as “The message cannot be represented in 7-bit ASCII and has been sent as a binary attachment.” The file attachment is often in Zip archive format and may pose as a variety of file extensions including .exe, .pif, or .scr. It is further veiled by presenting itself as a Windows icon similar to the text message symbol.
The worm is built in a sophisticated and encrypted format. It has the capability of copying itself into the registry in Windows and will execute at start-up. It also opens a port on the infected system (3127) and continually polls a remote host for instructions.
The virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages itself, using one of seven file names, including Winamp5, RootkitXP, Officecrack and Nuke2004. Variations in the body text include: “The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.”
Initial estimates on the virus indicate that it could be far more serious than the SoBig.F virus that attacked millions of users last August.
January 2004
Avasant’s research and other publications are based on information from the best available sources and Avasant’s independent assessment and analysis at the time of publication. Avasant takes no responsibility and assumes no liability for any error/omission or the accuracy of information contained in its research publications. Avasant does not endorse any provider, product or service described in its RadarView™ publications or any other research publications that it makes available to its users, and does not advise users to select only those providers recognized in these publications. Avasant disclaims all warranties, expressed or implied, including any warranties of merchantability or fitness for a particular purpose. None of the graphics, descriptions, research, excerpts, samples or any other content provided in the report(s) or any of its research publications may be reprinted, reproduced, redistributed or used for any external commercial purpose without prior permission from Avasant, LLC. All rights are reserved by Avasant, LLC.
Login to get free content each month and build your personal library at Avasant.com
