A new ultrafast Internet worm continued to spread Tuesday,
inundating corporate and home computers with bogus e-mails and
opening systems to hackers.
The worm, called MyDoom or Novarg, spreads through the Internet
by e-mail and is moving from user to user at record levels, sending
hundreds of e-mails a minute. Network security officials labeled it
the fastest-spreading worm ever.
MessageLabs Inc., a New York-based e-mail security company, first
intercepted Novarg on Monday morning. Within 24 hours, the company
said, it had stopped more than 1.2 million copies of Novarg. After
investigation, the company issued a warning saying the worm was
found in one in 12 e-mails sent by the company's users.
"This thing is scary," Ron Newman, chief operating officer of
Houston-based IT security company Secure Commerce Systems, said
Tuesday. Secure Commerce contracts with state and city governments
and large companies.
So far, Dallas-Fort Worth has had no serious outbreaks. IT
security officials with the city of Arlington said they quickly
detected the worm and were able to quarantine it.
Mary Gugliuzza, a spokeswoman for the city of Fort Worth, said
the city had two incidents of external exposure, but network
security isolated them. Brian Lucas, a network administrator with
Texas Christian University, said TCU didn't see a large effect.
But Newman, who has been in IT security for about 15 years and is
responsible for Secure Commerce's Dallas-Fort Worth offices, said he
is worried, given what the worm has done so far.
"We had [recent worms] Blaster and So.Big, and when you look
back, you'll see it took nearly a week before each reached peak
activity," Newman said. "This one was within a few hours. It's an
extreme volume in such a short amount of time."
Newman's assessment parallels those of other IT security
professionals. The Blaster worm shut down the state of Maryland's
Motor Vehicle Administration computer system for two days. The FBI
investigated but has made no arrests.
Novarg, named after language involved in its code, is a bit
different from Blaster. Blaster exploited a problem within the
Microsoft Windows operating system that allowed it to spread by
itself.
In contrast, Novarg is carried in e-mail. The body of the e-mail
typically has an innocuous error message, such as "The message
contains Unicode characters and has been sent as a binary
attachment" or "Mail transaction failed. Partial message is
available."
The message itself is benign; the ailment is carried in the
attachment. Many office workers have been warned about blindly
clicking on an attachment, but because the message seems harmless,
they do so anyway.
When activated, Novarg searches through the computer's address
books and sends itself to e-mail addresses it finds. If the computer
has 1,000 e-mail addresses, 1,000 e-mails will be sent. The worm
places the name of the infected computer's owner in the message
header to further dupe unsuspecting recipients.
Mike Williams, a network administrator with the University of
North Texas, said Tuesday that he figured something was wrong when
he received an e-mail from himself.
"I'm sitting here working and I see an e-mail from me to me," he
said. "And I'm sitting here thinking, I know I didn't send this. I
look into it, and I see it came from a machine in the Geography
Department. Then I knew something was up."
Williams said the university has about 10,000 computers on
campus, with 30,000 to 50,000 e-mail users. The university's virus
protection was able to stop any infections. But the worm still sent
1,400 e-mails in an hour.
"We're fine, but when a virus is found in an e-mail, it alerts
the originator of the message," he said. "So the most we're getting
is people wondering what's going on."
The worm is also set to attack a Utah-based software company's
Web site and shut it down.
The company, the SCO Group, is involved in a intellectual
property lawsuit with IBM and Novell. The company has a dispute over
the Unix operating system, which it owns. SCO said Tuesday that it
is offering $250,000 for information that leads to the arrest of the
culprit. The company said it is working with agents from the Secret
Service and the FBI.
Christopher Faulkner, chief executive of CI Host, a Web host and
data center in Bedford, said that his company has seen up to 5,000
infected e-mails sent per minute. The company hosts about 205,000
Web sites, with about 10 million e-mail accounts.
Faulkner said that the high volume slows down e-mail servers. A
lot of Internet service providers have spam filtering programs that
examine every piece of e-mail sent; if those filters aren't shut
off, he said, the mail servers may grind to a halt.
In order to keep traffic moving, Faulkner said, it would be best
for ISPs to temporarily shut off spam filters and leave e-mail
checks to the computer user's discretion.
Novarg does more than send itself in infected e-mail. It also
installs a "back-door" program that can allow a hacker to gain
access to a computer and either install more malicious software or
use that machine to attack another computer.
Novarg even places a keystroke recorder on a user's PC that can
store and transmit every keystroke -- from credit card numbers to
passwords.
When Florida-based Symantec Corp., the leading expert on Internet
security, first encountered the worm Monday evening, the company
rated it level 3 out of 5 in severity. Tuesday, the company bumped
the rating to level 4, the same level as Blaster and So.Big.
"We have never seen a level 5 rating," said Oliver Freidrichs, a
Symantec senior manager. "Nothing precludes it. We have been lucky.
We are hoping that we don't see a category 5 ever."
Don't catch the worm
Here are some basic tips for staying away from the latest
computer worm, which replicates itself and travels through a
network.
• Your office probably has
network precautions, but home users are vulnerable. The best way to
prevent MyDoom-Novarg from infecting your PC is to scrutinize all
e-mail, examining particularly e-mail with attachments. Be sure you
know the source of an attachment before opening it.
• If unsure of an attachment,
don't open it. If possible, examine its filename extension. So far,
the following extensions have been associated with the Novarg worm:
.cmd, .pif, .scr, .exe and .bat.
• Vendors of anti-virus
software frequently release virus updates. Home users need to stay
up to date with any anti-virus software. Users can refer to the
Symantec Corp.'s Web site for a list of active viruses and worms or
for software that can remove the worm from an infected system.
Although such removal software cannot detect bad e-mail or a virus,
it is the best solution if an attack occurs.
-- Star-Telegram