Novarg/MyDoom Attacks the Internet

January, 2004

As of Monday morning a new and very aggressive email worm began infecting thousands of end-users and has caught the attention of many IT organizations. The new virus which currently is being dubbed either Novarg or MyDoom arrives as an attachment in an email from a randomized sender with various subject titles.

The worm is actually a variant on the Mimail virus, but has the distinction of being directed at the SCO Group. The infected machine is planted with an instruction to attack the SCO Group’s web server on Feb 1.

The body of the email may contain a statement such as “The message cannot be represented in 7-bit ASCII and has been sent as a binary attachment.” The file attachment is often in Zip archive format and may pose as a variety of file extensions including .exe, .pif, or .scr. It is further veiled by presenting itself as a Windows icon similar to the text message symbol.

The worm is built in a sophisticated and encrypted format. It has the capability of copying itself into the registry in Windows and will execute at start-up. It also opens a port on the infected system (3127) and continually polls a remote host for instructions.

The virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages itself, using one of seven file names, including Winamp5, RootkitXP, Officecrack and Nuke2004. Variations in the body text include: “The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.”

Initial estimates on the virus indicate that it could be far more serious than the SoBig.F virus that attacked millions of users last August.

January 2004