"MyDoom" virus and how to protect your computer from it
By Nowshade Kabir
Posted Saturday, September 4, 2004
Remember the Sobig viruses of last year that wreaked havoc and caused significant financial damage to corporation world? Well, the first major virus of this year has potential to beat those attacks easily.
What is MyDoom?
The new virus, which is actually a more virulent variation of "Mimail" virus, is dubbed MyDoom by antivirus software maker Network Associates Inc. and "Novarg" by rival Symantec Corp.
The virus, first detected around 4PM EST Monday January 26, 2004, immediately started to create a mail storm through out the Internet. According to experts, MyDoom virus is capable of generating up to 8 million infected e-mails in the first 24 hours if it is not slowed down. This is twice as much as the amount produced by the Sobig.F virus, which at its peak last year generated around 3.5 million e-mails on the third day of its outbreak.
Within one hour of its first attack Network Associates itself received 19,500 e-mails bearing the virus from 3,400 unique Internet addresses.
How does it work?
MyDoom spreads itself similarly as any other email-borne virus. Unsuspected user after receiving infected email activates the virus by opening the attached file. As always the virus infiltrates only into Windows based PC. The attached file can be of any of these extensions: ".exe," ".scr," ".cmd" or ".pif".
Randomized subject line of the infected message can have the following texts among others: Mail Delivery system, Test, Server report, Hello, etc.
The body of the email shows one of the several texts, such as: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment,"; "The message contains Unicode characters and has been sent as a binary attachment."; and "Mail transaction failed. Partial message is available." The idea here is to trick users into opening the attachment.
The opened attachment looks like a simple Notepad text file, which most of the people believe to be safe and incapable of carrying viruses.
Once a computer gets contaminated with MyDoom, the virus along with the Trojan embedded in it does the following things:
The virus resends itself using a built-in mailing program to e-mail addresses from the address book of the infected computer. It is capable to send out 100 infected email messages in 30 seconds to addresses stored in the computer. It also fakes the sender's address and shows one of the e-mails randomly selected from the computer's address book. So it appears that the virus came from someone other than the person whose computer produced this email.
The virus also copies itself to the Kazaa download directory of the infected computer, on which the file-sharing program is loaded. The virus camouflages itself, using one of seven file names, including Winamp5, RootkitXP, Officecrack and Nuke2004. Kazaa is a file sharing program widely used by teens to share music among peers.
MyDoom also uses the domains of the emails addresses it finds in the infected computer to make up numerous email addresses in an attempt to spread itself. This tactic is commonly used by spammers and called "Dictionary Attack".
Some experts claim that this virus also drops a file onto infected computer systems, collecting sensitive data such as passwords, user names and credit card information.
The infected e-mails are also programmed to start a denial of service attack on SCO, the controversial software group which claims that important components of the Linux open-source operating system violate its Unix copyrights. A Denial of Service Attack means in an attempt to shut down a server, thousands of emails are sent to one single address. The attack clogs the bandwidth and cripples the whole mailing system of the company and forces them to either turn off the server or change the domain name.
Finally, the virus also opens up communication ports of the infected computer, allowing a hacker to manipulate the machine remotely.
One hack of a virus, isn't it?
What to do?
If you take the following steps, your computer will be virtually safe from any similar virus attacks:
- Get an Antivirus program and install it in your computer.
- Regularly update your Antivirus program.
- Get a firewall and install it. A great free firewall that you can download and install is Zonealarm. You can download it from (http://www.zonelabs.com/store/content/home.jsp)
- Regularly get patches for your version of Windows and update.
- Use email filters similar to Eprompter. It gives you the ability to delete unwanted spam or suspicious looking mail, which might contain viruses. Get it free from (http://www.eprompter.com).
- Scan you computer for viruses regularly. A great free tool that scans your computer remotely for viruses and eliminates them you can find at (http://housecall.trendmicro.com/housecall/start_corp.asp)
No doubt that Microsoft has to do a better job to protect us from this on going slaughter. However, until this happens, Windows users have to be more vigilant and do everything possible to protect their machines.
About the author
Nowshade Kabir is the founder, primary developer and present CEO of Rusbiz.com. A Ph. D. in Information Technology, he has wide experience in Business Consulting, International Trade and Web Marketing. Rusbiz is a Global B2B Emarketplace with solutions to start and run online business. You can contact him at mailto:nowshade@rusbiz.com, (http://ezine.rusbiz.com), (http://www.rusbiz.com)