MyDoom,Shimgapi, Novarg

The virus will try to fool you in opening an attachment with this type of a message:

test

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment.

The message contains Unicode characters and has been sent
as a binary attachment.

Mail transaction failed. Partial message is available.

The attachment contains the virus. Remember that the name of the sender/email address of the sender can be your friend's name even though he/she isn't responsible for the email!

The following snapshot is one virus message that was sent in my name to somebody at Nokia.

Apparently, people are busy out there. I got this email last night in my Inbox. I never sent it so immediately did a full system scan and no viruses. It seems people are able to "use" you email address to sent out viruses. I have no idea who the recipient was.

GROUP securiQ.Watchdog
Server: SMTP3
-----------------------------------------------------------------------

Your mail message contained attachments that are restricted from delivery
for security purposes. The restricted attachments have been disabled or
removed and will not function for the recipient.
-----------------------------------------------------------------------

Mail-Info

From: kspaav%40aol.com
To: robert.hofstra%40bunge.com
Rec.: robert.hofstra%40bunge.com
Date: 01/26/2004 06:53:25 PM
Subject: Mail Transaction Failed

-----------------------------------------------------------------------
file is denied: readme.scr

I get mail like that, but my Norton's Anti-Virus program has caught them. My program is set to update continually so I've been very lucky so far. According to what I read in the paper, most of the viruses originate somewhere overseas.

June

I just read that the MyDoom virus first was detected in Russia, so it might have originated there, but who knows?

I have also seen an article in Aftonbladet.se that this virus is one of the nastiest ever. Not only does it multiply by using your adress book. It also opens a "back door" in your Windows system which a hacker then can use to monitor everything you do with your computer and even use it himself. And it spreads very fast. So be careful out there.

Sune

Method of Distribution
Via E-mail
The worm arrives attached to an e-mail with a variable Subject and message body. The attachment also uses a variable name and extension. The From address is 'spoofed'.

The Subject may be selected from a long list carried by the worm, or may consist of randomly-generated characters. Examples of possible Subjects include:

Error
hello
HELLO
hi
Hi
Mail Delivery System
Mail Transaction Failed
Server Report
Status

The Message Body may be selected from a list carried by the worm, empty, or consist of randomly-generated, illegible garbage. An example of a Message Body used by the worm:

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

The Attachment name is chosen from a list carried by the worm, or may consist of randomly-generated characters. Examples of attachment names used by the worm:

Data
Readme
Message
Body
Text
file
doc
document
Attachments also use a variable extension. Extensions used by the worm for its attachment include .bat, .cmd, .pif, .exe, and .scr. The worm may also send itself as a .ZIP archive.

When performing its mass-mailing routine, the worm finds destination e-mail addresses by searching files with the following extensions:

adb
asp
dbx
htm
php
sht
tbb
txt
wab

The worm is coded to stop spreading on February 12, 2004 (it will stop send e-mails and spreading through KaZaA). However, even if the worm is executed after this date, it will still drop shimgapi.dll and activate the backdoor.

----- Make sure your virus programs are up to date -----