malicious code in history, causing the greatest epidemic ever seen. It is
Panda Software Outlines Mydoom.A: timeline of an epidemic
Glendale, CA, February 02, 2004 - Mydoom.A is the fastest spreading
malicious code in history, causing the greatest epidemic ever seen. It is
now estimated that over half a million computers around the world have been
infected, including many thousands of businesses.
In fact, 1 in 4 e-mails in circulation -a total of more than 8 million-
have been infected by this worm.
Financial losses caused by Mydoom.A are incalculable. Last Thursday (Jan
29), CNN estimated that due to loss of productivity and costs of tech
support, the damage could reach 250 million dollars. More information at:
http://money.cnn.com/2004/01/28/technology/mydoom_costs/index.htm.
The mi2g consultancy firm has estimated losses caused by this virus at 38.5
billon dollars.
And the costs of the Mydoom.A epidemic could continue to increase as the
worm is designed to continue spreading until February 12. The rates of
propagation have in fact remained constant with even the occasional
increase.
To help users better understand the situation, Panda Software has published
a timeline of the Mydoom.A epidemic since it first appeared.
Tuesday January 27.
The antivirus laboratories first detected the presence of the new worm. At
the same time, tech support services began to receive the first incidents
–almost continuously- in several countries around the world. Because of
this, and as the worm itself was being analyzed and the antidote created, a
red alert was declared.
The procedure for detecting a virus may be simple to explain, but it is no
simple task. First and foremost, you need the malicious code itself. There
are various sources. One of these is antivirus users sending suspicious
files, either due to their own worries or because the heuristic scan engine
has identified the file as suspicious.
IT experts then reverse engineer the virus code. They discover the internal
code and the functions of the virus. At the same time, in an isolated
network, several computers are infected. These test computers are set up to
record how the virus behaves and its ability to spread.
Once this information is gathered, a ‘vaccine’ is generated. This involves
finding an identifier or ‘signature’ for the virus and creating a mechanism
for disinfecting it. This data is used to create an update to the
antivirus, and is made available to users through the website.
Panda Software quickly made the antidote to Mydoom.A. available to its
users.
However, there are still many computers without adequate, updated,
antivirus protection. This meant that Mydoom.A spread unchecked. The worm
is designed to spread rapidly via e-mail.
For this reason, in order to stop Mydoom.A’s explosive propagation, Panda
Software offered all users its free PQremove tool, which detects and
eliminates Mydoom.A from infected computers and restores any changes this
worm has made to the system configuration. This utility can be downloaded
from http://www.pandasoftware.com/download/utilities.
Mydoom.A however continued to spread rapidly, infecting numerous computers,
and gradually confirming its place in history as one of the worst viruses
ever.
Antivirus companies continued to warn users of the dangers, in particular
to companies, as they are the chief target of the worm. Some companies were
even reporting that their antiviruses were blocking up to 3,000 e-mails
infected by Mydoom.A. trying to enter the network.
Estimates indicated that there were more than a million and a half e-mails
infected by the worm in circulation, and up until then more than 150,000
computers around the world had been affected.
Wednesday January 28.
The Mydoom.A worm was still spreading rapidly. Latest statistics indicated
that one in every twelve e-mails in circulation was carrying this malicious
code. This figure significantly exceeds that reached by Sobig.F (1 in every
17) last summer and which, up until the previous day, was considered the
fastest spreading virus ever.
According to data collected by Panda Software’s online antivirus, Panda
ActiveScan, Mydoom.A had infected six times more computers than Bugbear.B,
the second virus most frequently detected.
Similarly, it was estimated that 300,000 computers worldwide, including
thousands of companies, had been infected by Mydoom.A.
Towards the end of the day, Mydoom.B appeared, a dangerous variant
programmed to prevent antivirus applications from updating. The number of
incidents caused however was not significant.
Thursday January 29.
Mydoom.A was still spreading rapidly. One in every five e-mails was
carrying this worm, making four million infected e-mails currently in
circulation. “Mydoom.A is not reaching higher rates because of the security
measures that companies have adopted after being infected”, explained Luis
Corrons, director of PandaLabs. “But” he added “it isn’t stopping either,
as it is now hitting companies without protection that survived the first
wave of infected messages.”
According to data collected by Panda Software’s online antivirus, Panda
ActiveScan, Mydoom.A had infected six times more computers than Bugbear.B,
the second most frequently virus detected. Corporate environments around
the globe were hit the hardest by Mydoom.A, and for this reason, the number
of infected computers reached 400,000.
Friday January 30.
The number of infections caused by the Mydoom.A worm seemed to have
stabilized, but, it still caused almost six times more infections than
Downloader.L, the second virus most frequently detected by Panda
ActiveScan. An estimated 500,000 computers worldwide –mainly in corporate
environments- had been infected by this malicious code. This demonstrated
the magnitude of the activity of this worm, as even though hundreds of
thousands of companies had already cleaned their computers, others were
still being infected.
However, this worm was still spreading and there were 8 million infected e-
mails in circulation, this meant that one out of every four e-mails was
carrying the Mydoom.A worm.
As company activity was interrupted for the weekend, the epidemic is
expected to cool off on Saturday. However, on Sunday, February 1, the worm
was due to launch a distributed denial of service (DDoS) attack against
SCO, in order to prevent users from accessing its website.
However, the fact that this worm’s activity was expected to drop off didn’t
mean that users could drop their guard. Mydoom.A creates a backdoor in
infected computers that allows unauthorized accessed to malicious users. In
fact, a large amount of activity was detected on the Internet involving
hackers looking for computers infected by Mydoom.A, which are therefore
vulnerable to attack.
For this reason, Panda Software still advised users to install and set up
firewalls. By doing this, they could prevent DDoS and hacker attacks,
neutralizing the effects of this worm.
Saturday January 31.
As business activity slowed down, the epidemic slackened off, although the
number of infections caused by Mydoom.A was still high.
Sunday February 1.
Mydoom.A started to launch its distributed denial of service attack (DDoS)
against the web page of SCO. The web page became unavailable to users.
Monday February 2.
Despite a slight respite in activity over the weekend, the number of
incidents remains high. As the working day began, Mydoom.A kicked back into
action again in countries like Japan.
On a worldwide level, the number of infections caused by Mydoom.A is more
than five times that caused by Downloader.L, the second most frequently
detected by Panda ActiveScan. And as business activity resumes across the
world, incidents are on the increase again.
As with the previous day, SCO’s website is out of action.
THE PROPAGATION OF MYDOOM.A
With respect to Mydoom, measuring the rate of propagation is relatively
simple with no need to use external detections. This virus searches for e-
mail addresses in the affected computer, but in order to send e-mails, it
needs to work out the name of the e-mail server used for each mail. To do
this, it tries different combinations of SMTP server addresses, hoping that
one will work.
This behavior however causes a disproportionate increase in attempts to
resolve names in DNS servers. An observation of statistics generated in
root servers gives an insight into virus incidence.
The graph below shows activity in DNS servers administered by RIPE (Reseaux
IP Europeéns) over the last week, (rejected name resolutions).
It shows that the number of rejected requests is much higher than normal.
This is due to attempts to resolve non-existent names.
However the number of queries received, although there is an increase,
doesn’t reflect the same growth as those refused:
In the week prior to the appearance of the virus, there were never more
than 5.5 million requests, when the virus began to spread, it reached 7
million, less than double. However rejected queries increased more than 100
times.
|MYDOOM.A TECHNICAL CHARACTERISTICS: |
|Mydoom.A is a worm that will spread until February 12 2004 via e-mail |
|in a message with variable characteristics and through the peer-to-peer|
|(P2P) file sharing program KaZaA. |
|The message carrying Mydoom.A has the following characteristics: |
|a)Sender: Never the real one. Mydoom.A spoofs the e-mail address from |
|which is sent, obviously leading to confusion. |
| |
|b) Subject: one of the following: |
|test; hi; hello; MailDelivery System; Mail Transaction Failed; Server |
|Report; |
|Status; Error |
|c) Message text: one of the following: |
|Mail Transaction Failed. Partial message is available. |
|The message contains Unicode characters and has been sent as a binary |
|attachment. |
|The message cannot be represented in 7-bit ASCII encoding and has been |
|sent as a binary attachment. |
| |
|d) Attached file: both the extension and the file name are variable. |
|Possible names: |
|DOCUMENT ; README ; DOC ; TEXT ; FILE; DATA; TEST; MESSAGE; BODY. |
|Possible names: |
|PIF; SCR; EXE; CMD; BAT; ZIP. |
|The file can sometimes have a double extension. If this is the case, |
|the first will always be one of the following: HTM, TXT or DOC. |
|Mydoom.A also carries out a distributed denial of service (DDoS) attack|
|against http://www.sco.com if the system date is between the 1st and |
|12th of February 2004. To do this it launches GET/ HTTP/ 1.1 requests |
|every 1024 milliseconds. |
|On February 12, 2004, the worm finishes its payload, ending its |
|execution whenever it is activated. |
|Mydoom.A downloads a file called SHIMGAPI.DLL, creating a backdoor |
|which opens the first TCP port available between 3127 and 3198. This |
|backdoor allows an executable file to be downloaded and run, and acts |
|as a proxy which could give the hacker remote access to network |
|resources. |
|Infection by Mydoom.A is easy to recognize as, when it is run, it opens|
|the Windows notepad (NOTEPAD.EXE) and displays garbled text. |
|It also creates two files. One of these, TASKMON.EXE, contains a copy |
|of the worm. The other is called MESSAGE and contains the text |
|displayed in Notepad when the worm is first run. |
|Mydoom.A creates several Windows registry entries to ensure it is run |
|every time the machine is started up |
|Mydoom.A spreads via e-mail and the peer-to-peer application KaZaA. |
|1.- Propagation via e-mail. |
|Mydoom.A spreads in the following way: |
|It reaches computers in a file attached to an e-mail. When the file is |
|run, the computer is infected. |
|Once the computer is infected, Mydoom.A searches for addresses in files|
|with the following extensions: HTM, SHT, PHP, ASP, DBX, TBB, ADB, PL, |
|WAB and TXT. |
|Mydoom.A sends itself to all addresses it finds and to all contacts in |
|the Windows address book, using its own SMTP engine. To do this it |
|tries to open an SMTP session and connect itself to mail servers, by |
|adding the following prefixes to the domain of the target address: |
|gate., mail., mail1., mx., mx1., mxs., ns., relay., smtp. |
| |
|2.- Propagation via KaZaA. |
| |
|Mydoom.A does the following: |
|- It creates copies of itself in the shared directory of KaZaA. These |
|copies have a variable name, which consists of a random file name and a|
|random extension: |
|Possible file names: WINAMP5, ICQ2004-FINAL, ACTIVATION_CRACK, |
|STRIP-GIRL-2.0BDCOM_PATCHES, ROOTKITXP, OFFICE_CRACK, NUKE2004. They |
|can have the following extensions: PIF, SCR, BAT, EXE. |
Panda Software advises users to update their antivirus solutions, if they
haven’t already done so. The company has already made the updates to its
products available to its clients to ensure their solutions can detect and
eliminate Mydoom.A. Even though Panda Software’s products can be
automatically updated every day, those whose software is not configured to
update automatically, should update their solutions from
http://www.pandasoftware.com/.
Panda Software has also released its PQremove tool which detects and
eliminates the Mydoom.A.worm from infected computers and restores any
changes this worm has made to the system configuration. This utility can be
downloaded from http://www.pandasoftware.com/download/utilities.
Panda Software also offers users its free, online tool Antivirus Checker,
which will inform you of the protection status of your computer. This tool
specifies whether an antivirus is installed, which one and if it is
updated, and therefore keeping the computer safe from viruses. Antivirus
Checker is available at: http://www.pandasoftware.com/protected.
Users can also detect this and other malicious code using the free, online
antivirus, Panda ActiveScan, which is available on the company’s website at
http://www.pandasoftware.com/.
More detailed information on Mydoom.A is available from Panda Software’s
Virus Encyclopedia.
About PandaLabs
PandaLabs works round the clock in search of new viruses and threats that
could appear in any corner of the globe or that are sent in by users who
have found suspicious files. The PandaLabs team immediately scrutinizes
every malicious code they receive, analyzing its characteristics and
behavior. After completing these tasks, they develop detection and
disinfection routines, which are then distributed, every day, to the users
of Panda Software's antivirus products. As a result, the multinational's
solutions against malicious code are always armed against any threat,
however recent it may be. More information about PandaLabs is available at
http://www.pandasoftware.com/virus_info/pandalabs.
.
For more information:
Alan Wallace
Tel. (818) 543-6909