New e-mail virus detected, PCs vulnerable to data theft, says antivirus firm
at 23:26 on January 26, 2004, EST.
Printable version Send to a friend
VANCOUVER (CP) - A new computer virus spread via e-mail was detected Monday and an expert says it could quickly clog the Internet and open personal computers to data theft.
The virus, dubbed Mydoom, was confirmed around 4 p.m. EST by technicians at Network Associates Inc., which produces and maintains the McAfee antivirus program, Canadian general manager Jack Sebbag said from Montreal. Symantec Corp., which markets the Norton antivirus program, also posted an alert for the new virus, which it called Norvag.
It said Microsoft Windows operating systems except 3.x were vulnerable but the virus does not affect DOS, Linux, Macintosh, OS/2 or Unix-run computers.
"It's a mass-mailer, meaning it will send at random the e-mail and replicate itself to folks on your personal address book," said Sebbag.
The worm-type virus is contained in an innocuous-looking e-mail attachment and degrades performance on the computer.
The icon used by the file tries to make it appear the attachment is a text file, according to Network Associates' notice. It then copies itself to the local system and sends itself to everyone in the user's e-mail address book.
Symantec's posting said the worm also copies itself to the Kazaa music download directory using various file names.
It appeared to first target large companies in the United States - and their large address books - but quickly spread internationally, said David Perry, global director of education at the antivirus software firm Trend Micro.
Unlike other mass-mailing worms, Mydoom does not attempt to trick victims by promising nude pictures of celebrities or mimicking personal notes. Instead, one of its messages reads: "The message contains Unicode characters and has been sent as a binary attachment."
"Because that sounds like a technical thing, people may be more apt to think it's legitimate and click on it," said Steve Trilling, Symantec's senior director of research.
As more machines are infected Mydoom could slow down the entire Internet "and that's where the real problem starts to hit," said Sebbag.
He said the virus also appears to have a keystroke-logging capability, "meaning that somebody can actually take over your PC."
"Right now it's not a very big deal but it does have that capability so the worm can actually log into your machine and take it over and steal information."
The worm opens a connection on one of the computer's communication's ports, suggesting remote-access capabilities.
"It's a form of spyware," Sebbag said.
Users will know the computer is infected if Notepad is opened and filed with nonsense characters.
Symantec said once found, the worm appears easy to contain and not hard to remove.
Sebbag said the origin of the virus was not known yet but it may have come from North America or Europe.
Network Associates' lab began receiving large samples of the virus from its product users early Monday afternoon.
"That's why we rated the alert status to high," he said, adding it's too early to tell how widespread the virus has become. "It's in the hundreds of thousands at this point."
Sebbag said based on the number of samples his firm has received, Mydoom seems to be spreading as fast or faster than last year's SoBig virus.
Symantec also rated the speed of infection as high.
Last summer, SoBig quickly tied up e-mail systems and slowed down networks but did not damage computers or their data. It followed similar earlier attacks by viruses called LovSan and Blaster.
McAfee software users can find a update to combat the virus at nai.com, while Norton users can find help at www.symantec.com.
STEVE MERTL
Barton 3200+ 400MHz
A7N8X Deluxe
Liquid 12 Celsius
2x512 Crucial DDR 400 PC3200
GeForce FX5900
Two Maxtor 40Gig 8MB cach 7200rpm
SONY RW 52x/24x/52x
SONY DVD 16x/40x
at 23:26 on January 26, 2004, EST.
Printable version Send to a friend
VANCOUVER (CP) - A new computer virus spread via e-mail was detected Monday and an expert says it could quickly clog the Internet and open personal computers to data theft.
The virus, dubbed Mydoom, was confirmed around 4 p.m. EST by technicians at Network Associates Inc., which produces and maintains the McAfee antivirus program, Canadian general manager Jack Sebbag said from Montreal. Symantec Corp., which markets the Norton antivirus program, also posted an alert for the new virus, which it called Norvag.
It said Microsoft Windows operating systems except 3.x were vulnerable but the virus does not affect DOS, Linux, Macintosh, OS/2 or Unix-run computers.
"It's a mass-mailer, meaning it will send at random the e-mail and replicate itself to folks on your personal address book," said Sebbag.
The worm-type virus is contained in an innocuous-looking e-mail attachment and degrades performance on the computer.
The icon used by the file tries to make it appear the attachment is a text file, according to Network Associates' notice. It then copies itself to the local system and sends itself to everyone in the user's e-mail address book.
Symantec's posting said the worm also copies itself to the Kazaa music download directory using various file names.
It appeared to first target large companies in the United States - and their large address books - but quickly spread internationally, said David Perry, global director of education at the antivirus software firm Trend Micro.
Unlike other mass-mailing worms, Mydoom does not attempt to trick victims by promising nude pictures of celebrities or mimicking personal notes. Instead, one of its messages reads: "The message contains Unicode characters and has been sent as a binary attachment."
"Because that sounds like a technical thing, people may be more apt to think it's legitimate and click on it," said Steve Trilling, Symantec's senior director of research.
As more machines are infected Mydoom could slow down the entire Internet "and that's where the real problem starts to hit," said Sebbag.
He said the virus also appears to have a keystroke-logging capability, "meaning that somebody can actually take over your PC."
"Right now it's not a very big deal but it does have that capability so the worm can actually log into your machine and take it over and steal information."
The worm opens a connection on one of the computer's communication's ports, suggesting remote-access capabilities.
"It's a form of spyware," Sebbag said.
Users will know the computer is infected if Notepad is opened and filed with nonsense characters.
Symantec said once found, the worm appears easy to contain and not hard to remove.
Sebbag said the origin of the virus was not known yet but it may have come from North America or Europe.
Network Associates' lab began receiving large samples of the virus from its product users early Monday afternoon.
"That's why we rated the alert status to high," he said, adding it's too early to tell how widespread the virus has become. "It's in the hundreds of thousands at this point."
Sebbag said based on the number of samples his firm has received, Mydoom seems to be spreading as fast or faster than last year's SoBig virus.
Symantec also rated the speed of infection as high.
Last summer, SoBig quickly tied up e-mail systems and slowed down networks but did not damage computers or their data. It followed similar earlier attacks by viruses called LovSan and Blaster.
McAfee software users can find a update to combat the virus at nai.com, while Norton users can find help at www.symantec.com.
STEVE MERTL
Barton 3200+ 400MHz
A7N8X Deluxe
Liquid 12 Celsius
2x512 Crucial DDR 400 PC3200
GeForce FX5900
Two Maxtor 40Gig 8MB cach 7200rpm
SONY RW 52x/24x/52x
SONY DVD 16x/40x