Mydoom trouble

By Ben Li

Computers all over the University of Calgary campus were infected with the most recent e-mail virus to hit the Internet on Mon., Jan. 26. After campus e-mail servers were updated to detect the virus, 52,817 copies were intercepted. By 4 p.m., around 100 infected computers on campus, which were attempting to infect other computers, were disconnected from the campus computer network to prevent the spread of Mydoom, also known as Novarg.A.


Leading antivirus software publisher Symantec rates the threat from the fast-moving virus as "severe," and estimates one out of every 12 e-mail messages sent Jan. 26 contained the virus. All users of the Microsoft Windows operating system newer than version 3.1 are vulnerable to infection.


"When a computer is infected, the worm will set up a backdoor into the system… which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources," according to Symantec. "In addition, the backdoor can download and execute arbitrary files."


The virus also propagates via the Kazaa peer-to-peer file-sharing network and is capable of sending spam to other users. Symantec warns the virus logs users’ keystrokes, which may contain passwords and other sensitive information, and relays that information to attackers.


The virus attempts to evade end-user detection by using a faked "From:" address (found on a previously infected computer), a variety of subject lines (including, but not limited to, "Error," "Status," "Server Report," "Mail Delivery System" and "hello"), and various technical-sounding bodies to entice users to launch the attached file which contains the viral payload.


The viral attachment, which has a generic file name, commonly ending in ".bat," ".exe," ".pif," ".cmd," or ".scr," will integrate with Windows, launching whenever the computer does. It will then send itself to addresses listed in any address books it finds on the computer. If the virus has not been removed by Sun., Feb. 1, it will use infected computers to attack the sco.com web site.


According to Symantec, the virus will stop spreading Feb. 12, although attackers may continue to use infected computers as a disguise for the true source of their activities and to reference logs of users’ activities.


All major antivirus software publishers have posted free tools to detect and remove the virus on their web sites.


In addition to installing and updating antivirus software regularly, users can prevent the spread of this and may other e-mail viruses by not opening unexpected attachments, or attachments from unknown senders.


Free antivirus software is available to the U of C community at www.ucalgary.ca/it/virus/

Leave a comment