How to Kill the Worm[/u]
Mydoom readies its weekend attack, but you can make sure your PC doesn't participate.
Peggy Watt, PC World Friday, January 30, 2004
For the past week, an insidious worm has been crawling into vulnerable systems around the Internet, preparing for attack this weekend--but there's still time to stop it from burrowing in and recruiting your PC to join its planned assault, and to eject it if it's there.
All of the major antivirus vendors have updated their virus definitions to identify and eradicate the fast-moving worm, which goes by several names. It was identified Monday as the Mydoom worm, and is also called Novarg and Mimail.R (a variant of the Mimail worm that appeared in November).
Also available from most antivirus program developers are removal tools to eradicate the pest from an infected system, before it can be recruited into the 12-day-long distributed denial of service attack scheduled to begin February 1. Depending on the variation, the seeded worms are expected to attack Unix software company The SCO Group and Microsoft, say antivirus experts who have studied the pest.
Meet the Worm
You can still avoid having your PC being dragged into the melee.
Prevention is best: Update your antivirus program's definition files regularly. Also, avoid opening suspicious e-mail attachments. Because this worm, like many others, harvests addresses from its victims' e-mail address books, an infected message may actually arrive from a known (but unwitting) sender. That's why the security experts urge you to keep your antivirus software current.
Infected messages usually have a random, false sender's address, and any of eight possible subject headers, according to Eugene Kaspersky, head of antivirus research at Kaspersky Labs. His researchers have identified 18 possible names for the attachment that contains the worm, and numerous possible extensions to the file--including the most common file types, such as bat, exe, pif, pdf, zip, tif, mp3, and many others.
Novarg appears on Kazaa under several names, including "winamp5" and "icq2004-final," and with several extensions.
If a user launches an infected file (by clicking on the attachment), the worm installs itself and begins propagating. According to Kaspersky Labs, it opens a Notepad window that displays a series of random characters. The worm also creates two files in the Windows folder, taskmon.exe (the worm carrier) and shimgapi.dll (a Trojan horse program to remotely control the infected system and recruit it for a DOS attack). The worm also registers these files in the system's Registry autorun key to activate the malicious program when the PC restarts.
To spread, the worm scans the disk for e-mail addresses and sends infected messages. It also checks for a Kazaa connection, and if it finds one, copies itself into the public folder for file exchange.
Exterminating MyDoom
You can search for and delete the files the worm places on your system, but security experts advise applying the longer-term protection of an antivirus program.
Protection against MyDoom as well as removal programs are available from all the major antivirus vendors, which have been tracking the worm's travels.
F-secure calls MyDoom the "worst e-mail worm incident in virus history" because of its fast and prolific spread. The company offers a manual, step-by-step detection and removal process, which involves deleting the worm files from your system and from the Windows Registry, as well as re-enabling access to sites blocked by MyDoom. The company offers an array of prevention, detection, and repair tools online.
Antivirus vendor Symantec recently upgraded the worm to a Level 4 threat because of its rapid distribution. A downloadable update to its Norton Antivirus provides definitions and a removal tool.
Symantec calls it W32.Novarg.A@mm but notes its several aliases, including Novarg, Shimgapi, W32/Mydoom@MM, and Win32/Shimg.
McAfee Security, part of Network Associates, also offers a downloadable fix through a McAfee VirusScan.
New Tactics
Several security vendors note MyDoom's virulence as a weapon.
"The danger of the integration of virus and spam technologies to create united, dedicated networks for cyber-criminals is becoming a reality," says Eugene Kaspersky, head of antivirus research at Kaspersky Labs. "This problem may well signal a new era in computer virology in the near future, an era marked by even more frequent and serious outbreaks." Kaspersky is also posting regular reports on the worm's progress and its mutations. One variant has shifted the target of the DOS attack from SCO to Microsoft.
BitDefender, which calls the worm Mimail.Q, describes it as "simple, effective, and SCO-unfriendly," noting the pending DOS attack on The SCO Group.
"This is not the only indication that the virus was written by someone trying to make a point, since the virus will also try to avoid annoying certain people by infesting their domains" says Sorin Dudea, head of virus research at BitDefender. He says the worm contains a "do not touch" list of servers it will not infect, including as those operated by Google and the University of California at Berkeley.
The security firm is tracking the worm's progress, and notes that it made the Evil Top Ten list for January even though it appeared the last week of the month.
Web hosting service C I Host has developed a virus filter it has dubbed 'Doompster' to extract and eradicate the MyDoom worm from its client systems.
"This virus is spreading as fast as anything we have ever seen," says Christopher Faulkner, CEO of C I Host. "We are taking the infected e-mails and the attachments out of the system." He says that at its peak, the worm appeared to be riding in one of every 12 e-mail messages. The hosting company also reported that response times from major Web sites fell by about 50 percent as MyDoom spread early in the week, although the Internet backbone itself has been largely unaffected.
http://www.pcworld.com/news/article/0,aid,114564,00.asp
