More On MyDoom, And Why

By | January 27, 2004

It’s not my intention for loosewire to become a realtime virus news service, but this is a special case, so here’s more on MyDoom/Novarg, the worm that I’ve reported on before.

Doom, it seems, is being prepared for the SCO Group, a company that sells Unix software and has been the focus of several Internet attacks, apparently in response to its legal claims that Linux contains software that violates its intellectual property.

Symantec have just upgraded the W32.Novarg.A@mm (also know as W32.Mydoom@mm) from a Level 3 to a Level 4 threat (5 is the highest) based on how fast the threat is spreading, the potential damage and the threat distribution. Like MX Logic it is comparing the worm to Sobig.F@mm — discovered on August 13, 2003 — in terms of the number of folk submitting it: more than 960 in 9 hours.

Here’s some more information on what it may do to you if you’re infected:

  • the worm copies itself to the system folder as taskmon.exe and listens to all TCP ports in the range 3127 to 3198, allowing hackers to potentially send additional files to be executed by your computer;
  • it propagates by sending itself to addresses found in files with the extensions: .htm, .sht., .php, .asp, .dbx, .tbb, .adb., .pl, .wab, and .txt.
  • (and here’s the sting) it will also attempt to perform a denial-of-service attack between Feb. 1 and Feb. 12, 2004 against The worm creates 64 threads that send HTTP “GET” requests to the SCO site. 

One aspect to this that worries me: I’ve noticed it’s not possible (unless I’m missing something) to increase the frequency of automatic virus library updates with Norton Antivirus. It my view updates should be done everyday: For example, anyone not updating their software in the last few hours will be vulnerable. Yet how many people do that? I’ve noticed my automatic update seems to do so once a week, if I’m lucky. There must be a better way of doing this simple task: How about using Norton’s own Level alert ladder, which could be routinely checked remotely by users’ computers? If there’s a dangerous virus in the wild, the software updates; if not, it sticks to its normal schedule. How about it?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.