An e-mail worm that looks like a normal error message but actually contains a malicious program continued to snarl computers around the world on Tuesday.
MessageLabs, which scans e-mail for viruses, said 1 in every 12 messages contained the worm, called Mydoom or Novarg.
Security experts described it as the largest virus-like outbreak in months, one made more problematic by its timing. The worm began spreading rapidly on Monday during business hours in the United States, where the world’s computers are concentrated.
Many recent outbreaks began during Asian business hours — overnight in the United States — allowing anti-virus vendors to develop new defences by the time US companies opened up shop.
”Whenever a virus begins to start in the States, it usually becomes much bigger,” said Vincent Gullotto, an anti-virus researcher at Network Associates.
Some corporate networks were clogged with infected traffic within hours of its appearance, and operators of many systems voluntarily shut down their e-mail to keep the worm from spreading during the cleanup.
Mikko Hypponen, manager of anti-virus research at F-Secure in Finland, estimated that 200 000 to 300 000 computers were hit worldwide.
The worm infects computers using Microsoft Windows operating systems, though other computers were affected by network slowdowns and a flood of bogus messages.
Unlike other mass-mailing worms, Mydoom does not attempt to trick victims by promising nude pictures of celebrities or mimicking personal notes. Instead, one of its messages reads: ”The message contains Unicode characters and has been sent as a binary attachment.”
”Because that sounds like a technical thing, people may be more apt to think it’s legitimate and click on it,” said Steve Trilling, senior director of research at the computer security company Symantec.
Besides sending out tainted e-mail, the program appears to open up a backdoor so hackers can take over the computer later. Symantec said the worm appeared to contain a program that logs keystrokes on infected machines. It could collect username and passwords of unsuspecting users and distribute them to strangers.
Network Associates, however, did not find the keylogging program.
The worm also appears to deposit its payload into folders open to users of the Kazaa file-sharing network. Remote users who download those files and run them could be infected.
The worm was also programmed to flood the website of The SCO Group beginning on February 1. SCO’s site has been targeted in other recent attacks because of its threats to sue users of the Linux operating system in an intellectual property dispute.
Microsoft offers a patch of its Outlook e-mail software to warn users before they open such attachments or prevent them from opening them altogether. Antivirus software also stops infection.
Christopher Budd, a security program manager with Microsoft, said the worm does not appear to take advantage of any Microsoft product vulnerability.
”This is entirely a case of what we would call social engineering -enticing users to take actions that are not in their best interest,” he said.
Mydoom isn’t the first mass-mailing virus of the year. Earlier this month, a worm called ”Bagle” infected computers but seemed to die out quickly. – Sapa-AP