Potentially Devastating New Worm Makes Rounds
A virulent new worm is stuffing inboxes across the Web. Novarg.A, otherwise known as "Mydoom" or "MIMAIL.R", began showing up on the radar screens of antivirus vendors on Monday with a frequency that alarmed security experts.
Early reports indicate that Novarg may soon eclipse the devastating Sobig.F virus should it continue to spread at its current pace.
The virus poses as a returned e-mail using subject headers such as: "Mail Delivery System," "Mail Transaction Failed" and "Test". The message is paired with file attachments containing the viral payload and text stating, "The message contains Unicode characters and has been sent as a binary attachment." Additional characteristics decoded from the virus can be found at Symantec's Security Response Web site.
Aside from infiltrating its way across an infected mail client's address book, Novarg attempts to spread itself by leveraging popular Windows file sharing software. Files are copied to the KaZaA download directory, posing as harmless software that will infect anyone unfortunate enough to double click.
Although recent builds of KaZaA include defensive measures to ward off viruses, Symantec suggests running external security software while the application is in use.
Sharon Ruckerman, Senior Director of Symantec's Security Response, informed BetaNews that Norvarg's social engineering design aspect may snare more tech-savvy users who generally follow safe computing practices - thus giving the worm the potential to surpass Sobig in its scope and severity. Symantec reports that the first several hours of virus activity have already exceeded Sobig's trajectory during its first 24 hours.
Despite the bleak outlook depicted by Symantec's findings, Ruckerman pointed out that the worm's severity is a 4 on a scale of 1 to 5 and quipped, "This is not taking the Net down."
Novarg will, however, attempt to take down Utah based SCO Group's Web site in a massive denial of service attack coordinated for February 1. Contrary to published reports, the attack has not been initiated at this time. The worm has a built in obsolescence set for February 12, 2004, when it will no longer continue to spread.
BetaNews contacted the ISV shortly after learning of reports that SCO was the target of such an attack. Blake Stowell, Director of Public Relations at SCO, said in a statement, "We've been monitoring the Web traffic and the bandwidth available to respond to those who are trying to access www.sco.com. From our side, everything appears to be normal, but I have been receiving reports from reporters indicating that they are able to access www.sco.com, albeit a little slower than normal. What is usually instantaneous is taking about 30 seconds to come up."
When asked whether or not SCO felt it was peculiar that the worm coincided with the recent LinuxWorld conference in New York, Stowell said, "We won't speculate about the timing of this. To do so would be unfair to the Linux community."
Several prominent UNIX and Linux vendors including IBM have been the defendants in intellectual property lawsuits waged by SCO. SCO claims that its code has been misappropriated into open source offerings.
Advisories issued by antivirus vendors suggest a remedy of disabling unnecessary network services, monitoring open ports and disallowing remote access on affected systems. At the time of publication, major vendors had already updated virus definitions to inch out the worm.
All versions of Windows from 95 up are susceptible to Novarg. DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x are not vulnerable. Microsoft's Outlook 2000 Service Pack 2 and beyond has default settings which block potentially dangerous attachments, however users of Outlook Express are at risk.
"The greater danger is to businesses running older versions of Outlook or consumer PCs using e-mail, say, Outlook Express," Senior Jupiter Research Analyst Joe Wilcox told BetaNews. "Microsoft plans to add attachment blocking to Outlook Express, but that update is months away."
The security update will be included in the second service pack for Windows XP, due out later this year.
"The sophistication of the virus is a reminder that hackers and virus writers should be treated as criminals and not noble antisocialists," said Wilcox.