Staying on alert for 'MyDoom'
By By Rozana Sani 29th January 2004 (Computimes)
LOCAL organisations are advised to be on alert following the spread of the W32.Novarg. A@mm mass-mailing worm. According to National ICT Security and Emergency Response's director Lt Col Husin Jazri, although the situation is under control as at Press time, worm incidents are expected to escalate within the next few days. "The worm is already wreaking havoc in organisations in countries in the West. We in the East should take advantage of available time to take necessary preventive measures before becoming victims of the worm," he told Computimes on Tuesday. Husin said anti-virus software companies have already released the virus signature file, so end user organisations should update their anti-virus solutions with the latest signature files. Commenting on incidents so far, Husin said 10 organisations, representing both the public and private sectors, have filed reports to the Malaysian Computer Emergency Response Team. "One organisation has actually blocked 233 infected e-mail. We can expect to see many more infected e-mail filtered." Elaborating on the effects of the worm, Husin said it will slow down the e-mail server, and organisations can expect a lot of junk mail coming in. "This worm runs a backdoor component, which it drops as the file, SHIMGAPI. DLL. It opens port 3127 to allow remote users to access and manipulate infected systems." According to Sophos Asia's managing director Charles Cousins, W32.Nov arg.A@mm, also called W32/MyDoom-A, is unlike many other mass-mailing worms in the past because it does not try to seduce users into opening the attachment by offering sexy pictures of celebrities or private messages. Instead, the worm pose as a technical-sounding message, claiming that the e-mail body has been put in a attached file. Once the file is launched, users put their data and computer straight into the hands of the hackers, he said. "When the MyDoom worm forwards itself via e-mail, it can create its attachment in either Windows executable or Zip format. It is possible the worm's author did this in an attempt to bypass company filters which try to block .exe files from reaching their users from the outside world," said Cousins. Sophos has published a detailed analysis and protection against MyDoom on its Web site at http://www.sophos.com/virusinfo/analy ses/w32mydooma.html. Meanwhile, Symantec Security Response has been receiving submissions of MyDoom at approximately the same rate as it initially received submissions of the Sobig.F@ mm worm discovered on August 13, 2003. At Press time, it received more than 960 submissions of MyDoom in a nine-hour timeframe. Symantec customers can protect their computers against MyDoom by updating their virus definitions through LiveUpdate. In addition, the Worm Blocking technology found in the latest Symantec consumer products can automatically detect this threat as it attempts to spread. Symantec also said the worm would attempt to perform a denial-of-service attack between Feb 1 and Feb 12 against www.sco.com. The worm would create 64 threads that send HTTP "GET" requests to the SCO site. More information on MyDoom can be found at Symantec's Web site at http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html |
