Mydoom worm is now the worst email worm incident in virus history Mydoom email worm already bigger than Sobig Helsinki, Finland - January 28, 2004 The Mydoom email worm, which was first found on January 26th, 2004, has already spread more than Sobig.F. The Sobig.F worm spread massively in August 2003 and until now has held the title of the fastest spreading email worm in history. Email worms are currently the most common virus type in the world. Automatic network worms can spread even faster, but they are not nearly as common. There are three main reasons behind the fast outbreak of Mydoom: Social engineering: the worm masks the infected emails to look like system error messages, prompting people to click on them. Also, some of the infected attachments are inside ZIP archives, which might seem less dangerous to users. Time zones: Unlike most other recent email worm outbreaks, Mydoom was found in the middle of business hours in USA and several large corporate networks got infected immediately. Aggressive collection of email addresses: in addition of sending itself to email addresses found from users’ files, the worm also creates new addresses by guessing common user names and prepending them to domain names of found email addresses. It can also bypass some of the tricks people use to hide their email addresses from spammers. Although Mydoom (aka Novarg) is now very widespread, it does not pose an immediate threat to infected computers. Mydoom launches a worldwide denial-of-service attack from every infected computer against the website WWW.SCO.COM, which belongs to SCO, a well known Unix vendor. In fact, some have already nicknamed the virus “ScoBig”. However, this attack should not affect the rest of the internet. This attack is programmed to start on Sunday, February 1st, at 16:09:18 UTC. The significance of this exact time is not known. It should also be noted that SCO’s web site has suffered from several denial-of-service attacks over the last months, but none of them have been done by using viruses. It’s also possible the attack against SCO is just a smokescreen to misdirect attention away from the backdoor component in the virus – which is most likely included in order to facilitate sending of spam email messages. Current estimates show that currently between 20% - 30% of all email traffic worldwide is generated by this worm. F-Secure is urging especially Internet Service Providers to start dropping infected emails instead of delivering them to end users. F-Secure is releasing information for ISPs on how to reliably detect infected emails from mail queues with minimum processing power. For details, see the virus description. These solutions are available for free and do not require usage of F-Secure’s products. F-Secure first warned about the Mydoom worm on January 26th , at 23:05 UTC by issuing a F-Secure Radar Level 2 Alert. Three hours later the alert was raised to Radar 1, which is the highest level. F-Secure shipped detection of the virus at 23:09 UTC – in 1 hours 50 minutes from the moment the first sample of the worm was received. Detailed technical description, removal instructions as well as screenshots of the Mydoom worm are available in the F-Secure Virus Description Database at http://www.f-secure.com/v-descs/novarg.shtml F-Secure has also released a free tool, which can be used to remove Mydoom from infected systems. The tool can be downloaded from http://www.f-secure.com/v-descs/novarg.shtml About F-Secure F-Secure Corporation protects individuals and businesses against computer viruses and other threats coming through the Internet or mobile networks. Our award-winning solutions include antivirus, desktop firewall with intrusion prevention and network encryption. Our key strength is the speed of response to new threats, plus for businesses our solutions feature centralized management. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since 1999. We have our headquarters in Helsinki, Finland, and offices in USA, France, Germany, Sweden, the United Kingdom and Japan. F-Secure is supported by a global ecosystem of value added resellers and distributors in over 50 countries. F-Secure protection is also available through major Internet Service Providers, such as Deutsche Telekom and leading mobile equipment manufacturers, such as Nokia. For more information: Contact in Finland: F-Secure Corporation Mikko Hypponen, Director, Anti-Virus Research PL 24 FIN-00181 Helsinki Tel +358 9 2520 5513 Fax. +358 9 2520 5001 Email: mikko.hypponen@f-secure.com Contact in the USA: Heather Deem F-Secure Inc. Tel. (408) 350-2178 Email: heather.deem@f-secure.com