[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] New worm avoids feds for now
From:       William Knowles <wk () c4i ! org>
Date:       2004-01-28 10:43:39
Message-ID: Pine.LNX.4.44.0401280443190.31305-100000 () idle ! curiosity ! org
[Download RAW message or body]

Forwarded from: William Knowles <wk@c4i.org>

http://www.fcw.com/fcw/articles/2004/0126/web-virus-01-27-04.asp

BY Rutrell Yasin 
Jan. 27, 2004

A new mass-mailing computer worm that began rapidly spreading 
throughout the Internet Jan. 26 apparently avoids targeting the e-mail 
addresses of government agencies, military facilities and large 
software companies, according to a security expert at a leading 
antivirus firm.

The worm -- known as MyDoom, W32.Novarg.A@mm, Shimgapi or as a variant 
of the MiMail worm -- is an encrypted program that creates a 
mass-mailing of itself, which may clog mail servers or degrade network 
performance.

By avoiding federal sites and large software companies, the worm's 
author could be "attempting to get lead time before antivirus 
definitions" are written to block the worm, said Alfred Huger, senior 
director of engineering with Symantec Security Response, a unit of 
Symantec Corp. that tracks and responds to virus outbreaks. If the 
worm started attacking .mil and .gov e-mail addresses as well as 
antivirus vendors, then signatures could be written to thwart it much 
sooner, he said. Symantec and other leading antivirus vendors have 
pushed out software updates to customers to help protect against the 
worm.

A likely target appears to be The SCO Group, a provider of Unix 
software based in Lindon, Utah. SCO has stirred emotions in the Linux 
community by claiming that important pieces of the open-source 
operating system are covered by SCO's Unix copyright. The worm is 
programmed to instruct infected PCs to send a flood of bogus traffic, 
or a denial-of-service attack, to SCO's Web server Feb. 1 through Feb. 
12. The worm can also drop a backdoor program onto a PC, allowing an 
intruder to take control of the machine, Huger said.

Although Novarg is comparable to other mass-mailing worms such as 
Sobig and MiMail, the latest worm is "written a little more robustly," 
Huger said. Other worms require either a mail server to be present on 
a network or access to a Domain Naming Server to spread. This one 
"comes with both pieces of functionality written in it," he said.

Novarg arrives with an attachment with an .exe, .scr, zip, or .pif 
extension and a subject line of "Mail Delivery System," "Test" or 
"Mail Transaction Failed."


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]