Microsoft Corp. has expressed confidence that it may be quite well prerpared to avert an attack from the Mydoom worm which has already brought down the website, SCO.com, of a small software provider, the SCO Group Inc. Part of Microsoft's confidence may also stem from the fact that the Mydoom.B variant of the original worm has infected far fewer machines around the world. Bounties of $250,000 have already been announced by software companies to ensnare the writer of the worm.
Internet security firms, around the world have been quoted as saying that the email traffic had returned to normal by Thursday last week, after the surge at the start of the week.
The Mydoom attack has brought to focus an issue where the two problems of viruses and spam are now converging together. As with the earlier SoBig worm last year, and now with Mydoom, and its cousin Mydoom.b, the worms are capturing machines and converting them into spam churning zombies. A zombie computer being one that is controlled by a hacker, to send out huge amounts of spam, with the owner of the computer unaware that his machine is producing a torrent of spam e-mails.
MyDoom is a mass-mailing worm that masquerades as a test message. MyDoom (w32.mydoom@mm, also known as Novarg, Shimgapi, Shimg, and MiMail.r) takes advantage of the ZIP file format's ability to pass through e-mail filters. It also uses Kazaa to spread. MyDoom arrives as e-mail with the subject line "Mail Delivery System," "Test," or "Mail Transaction Failed." The body text reads: "The message contains Unicode characters and has been sent as a binary attachment." The attached files may include one of the following: document.zip / document.pif / doc.scr / readme.exe / file.zip / message.zip / oia.zip / text.zip.
When the worm is executed, MyDoom adds the following to the Windows/System subdirectory: shimgapi.exe / taskmon.exe.
If you are running the file-sharing program Kazaa, MyDoom will add a file named: activation_crack.scr in this location: C:\Program files\Kazaa\My Shared Folder.
MyDoom also opens the Windows Notepad and displays garbage text. In addition, the security company iDefense and McAfee are reporting that MyDoom opens ports 3127 through 3198 to listen for commands from a remote attacker.
Almost all antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, or Trend Micro.