MyDoom Boom Boom
Hi Zambuck,
Luckily, I didn't get any "unusual" emails today either!
Although, I did get this from Woody at
Woody's Window Watch - it's a bit of a rant really: this is what he says:
MyDoom Boom Boom
By now you no doubt know about the latest worm to hit the streets. McAfee calls it
MyDoom . So does
F-Secure . Symantec/Norton calls it
Novarg .
MyDoom's remarkable not because of its technical acumen. This sucker is in the process of clogging up all the email servers around the world because of its remarkable 'social engineering' - in other words it is packaged in a way to make unwary people open it. It has four characteristics that make it interesting / dangerous, depending on your point of view:
First, unlike the quasi-literate cretins who have been spawning worms lately, MyDoom's creator had the presence of mind to create a plausible story to go along with his dirty package. In this case, the worm arrives with a message that says (s p a c e s added to keep from triggering dumb spam filters):
Mail t r a n s a c t i o n failed. Partial message is available.
The message contains Unicode c h a r a c t e r s and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII e n c o d i n g and has been sent as a binary attachment.
At least at first glance, each of those messages seems reasonable enough to warrant looking at the attachment. In many cases, the attachment won't fool any of you because you have Windows set up to show you file name extensions (as we've recommended in Woody's Watch time and time again), and you know that double-clicking on a .bat, .cmd, .exe, .pif, or .scr file is just about as stupid as pointing a loaded gun at your foot. Besides, if you use Outlook 2002 or 2003 with the default security settings, you won't see the file anyway.
But in some cases the attached infected file is stored in a zip, and that's a horse of an entirely different color. Zips get through Outlook - they're innocuous; in and of themselves, zip files can't infect you. But the file(s) that sit inside the zip can be infected, and that's how MyDoom will creep (I use the term intentionally) into any system. That's MyDoom's second interesting twist: burying the infected file in a zip, so it'll get through many systems. Don't immediately panic, you have to open the attached zip file then extract and run the file enclosed within the zip.
The third twist is a real killer. MyDoom packs an infected file into a zip, but it gives the infected file a very long name. I got one infected message with an attached zip that contains a file called akhr.doc <followed by a LOT of spaces> .exe. There were so many spaces that when I opened the zip, Windows didn't even show me the .exe file name extension. (Of course, if you double-click on the akhr.doc<spaces>.exe file, it's run directly as is any other .exe file.) Another infected message arrived with a zipped copy of readme.txt <a LOT of spaces>.exe, another with body.txt <spaces>.scr, another with data.htm<spaces>.exe, and so on. I was quite astounded to see that Windows Explorer, when it opens a zip, doesn't always show the file name extension if the file name is long enough.
The fourth twist? The antivirus software sites are reporting that the worm not only spoofs return addresses - old-hat in this day and age - but it also spoofs Windows icons. I haven't received any messages with spoofed icons, but there are examples on-line of files called document.pif and document.scr that have the icon normally associated with text files. What's wrong with that? Folks who refuse to make Windows show file name extensions will be in for a very nasty surprise if they click on one of those "document" icons and get infected.
You have to force Windows to show you file name extensions. Hiding file name extensions is one of the worst design mistakes Microsoft has ever made, and millions of their customers have paid the price for that decision.
Any way, MyDoom opens a back door on your system that would (at least in theory) allow a cretin to take over your machine, and/or download and execute any program. (I say "in theory" because at this point there must be ten million computers with open back MyDoom back doors; what are the odds somebody's going to pick yours?) Between February 1 and 12, infected systems automatically launch a distributed denial of service attack on
www.sco.com , a company of scum-sucking... aw, don't get me started. MyDoom scans your files for email addresses and sends out copies of itself, spoofing the return address, and it puts itself in your KaZaA out box. MyDoom is supposed to stop spreading all by itself on February 12.
The Bottom Line
The bottom line is so important that I put it on the yellow tear-out "cheat sheet" at the front of Windows XP Timesaving Techniques For Dummies:
Buy, install, update, and religiously use a major antivirus package. All of the major packages now have MyDoom/Novarg filters (although it must be said that it took 12 hours for the antivirus companies to respond to MyDoom)
Force Windows to show you file name extensions. If you've ever doubted the necessity, MyDoom's ability to spoof icons should give you much pause.
After you can see file name extensions, watch out for suspicious extensions in e-mail attachments. I have a complete list in the book.
Never open or run a file attached to an e-mail message until you (1) contact the person who sent you the message and verify that he or she specifically sent you the file, and (2) save the file on your hard drive, update your antivirus software's signature file, and run your antivirus software on the file.
Now we all get to watch the Internet slow to a crawl - again - and sift through hundreds of infected messages - again.
As well as those wonderfully helpful automated messages from antivirus packages telling us that we sent infected files - again - when of course we didn't: the worm itself did the dirty deed - again.
Then there's all those failed delivery messages, where worm-generated mail didn't get through to the intended recipient, so the mailer daemon wrote back to me and let me know - again. Gad.
Just delete all these messages, the infected ones and the misdirected replies. The FROM addresses are faked so there's no point in trying to chase down the source.
On top of all that, again, email generally will slow down. Even this issue of WWW will arrive later than we'd like as it gets caught up on servers trying to deal with greatly increased email traffic.
******************************
A real nastie!
HTH though?
Cheers
Mayfly
