[LINK] Novarg / Mydoom / Shimg worm update

[Rick Welykochy]

Some Linkers maky be interested in what the lataest MS-Windows worm actually is and does.
Here we go (big deep breath):


(*) it is a polymorphic variant - it uses techniques devised and perfected
    in earlier worms and viruses

(*) it collects email addresses from the infected host using its
    own SMTP Mail engine

(*) a forged From: email addresses (the From: field in the email) is used when
    it propogates by email to other users and hosts; this causes headaches
    to those innocently receiving bounces when the emailed worm is bounced
    back to the infected host for some reason; it seems the From: email
    address might be constructed out of random names + random domains,
    mixed and matched from the Address book (a typical spammer approach)

(*) installs a backdoor on the infected host that will allow
    the host to be "owned" by the perpetrator; this is a popular
    method for spammers to create a "zombie" Windows box that is
    used as a spam originator or spam relay

(*) launches 63 process threads that each hit the http:://www.sco.com homepage
    every 300 milliseconds; this is resulting on (another) DDoS (distributed
    denial of service) attack on the SCO website; the first such attack was
    in early Dec 2003 but not via a worm

(*) the worm is spread by what appears to be a ZIP file attachment; unfortunately,
    most people click on this ZIP file, which causes the worm to self-extract
    (or perhaps is executed via a hidden .PIF extension?) and execute on their
    machine; infection is immediate

The worm is considered high outbreak.



cheers
rickw



---------------------------------------------
Rick Welykochy || Praxis Services Pty Limited

NAFTA might be friendly to investment but it was not all that
friendly to democracy.
     -- Bill Moyers