 News Menu |
|
|
| Site Menu |
|
|
| Site Affiliates |
|
|
| Advertisements |
|
|
|
|
|
|
| |
One or perhaps two variants of the MyDoom virus have proved sufficiently dangerous that three virus companies have raised their threat assessment warnings.
Win32.MyDoom.BB (also called Win32.MyDoom-AU or Win32.MyDoom-AW) and Win32.MyDoom-O, variants of an older MyDoom virus, have all arisen within the past 24 hours, forcing security analysts at Computer Associates International, Inc., SophosLabs and McAfee have all issued bulletins warning of the arrival.
They could, in fact, ball be the same worm, but named differently by different security companies.
In Islandia, N.Y., Computer Associates raised the threat assessment for the variant (Win32.Mydoom-AU, Mydoom BB or Mydoom-AW) to high, due to its pervasiveness and its ability to download the Win32.Gavvo Trojan. The Trojan can recruit the infected machine into a zombie network for further destruction.
The new Mydoom is a worm that spreads via e-mail, searches an infected computer's hard drive for e-mail addresses and then uses major search engines such as Lycos, Altavista, Yahoo and Google to harvest additional addresses in the same domain as the infected computer.
"The variant knocking at the front door is fairly familiar, but it is leaving the back door open to something much more sinister," CA's Simon Perry said in a statement.
"Over the past 18 months we have seen a general trend toward the creation of zombie or slave-machine armies, used to create further attacks against the Internet at large, such as spam or denial of service attacks," he added. "For that reason, we want Internet users to be extra vigilant and are raising the threat assessment to high."
The worm also creates a "mutex" that ensures only one copy of the worm runs at a time. The mutex name is generated by combining the affected machine's name with the string "root" repeated multiple times.
The worm arrives attached as an e-mail with a variable Subject and Message Body.
Sophos analysts warned surfers to be on guard against a new version of the MyDoom worm, which they call MyDoom-O. It emerged overnight, and was first detected at 5:54 p.m. EST on Feb. 16.
It behaves much like the MyDoom-AU worm, and might be the same variation of the original MyDoom worm that disrupted the popular Google website for a short while in July, 2004, making it inaccessible to many users as it tried to harvest e-mail addresses from the search engine.
The new version has been repackaged, possibly not by the original author, in an attempt to avoid detection by anti-virus products. It can use the Internet search engines Google, Yahoo, Lycos and AltaVista to try and gather e-mail addresses to send itself to.
"Right now, we're not seeing anything like as many reports of this new version of the MyDoom virus as we did last July, but it is spreading in the wild," Sophos' senior analyst Graham Cluley said. "Computer users who have kept their anti-virus automatically up to date and are wary of opening unsolicited email attachments should have little to fear."
"What is ingenious about the MyDoom-O virus is the way it can find e-mail addresses of potential victims," he added. "Like many other e-mail worms it searches your hard drive for e-mail addresses, but then it uses the domain names it has found to discover other victims via search engines."
McAfee analysts also issued an alert for the worm they refer to as MyDoom-MM, which they elevated to medium risk. That version also surfaced Wednesday, Feb. 16.
All virus companies have updated their virus definition files to combat the worm, and urge subscribers to download the new addition.
 News source: Globetechnology
|
| There are 0 additional comments, Post a comment | View printable post | Open/Close All Comments |
|
|
|
|
Recent 
Recent 
Announcement
