New worm avoids feds for now
The MyDoom worm's author may have avoided .gov and .mil sites to delay the creation of antivirus definitions, a Symantec official says.
A new mass-mailing computer worm that began rapidly spreading throughout the Internet Jan. 26 apparently avoids targeting the e-mail addresses of government agencies, military facilities and large software companies, according to a security expert at a leading antivirus firm.
The worm -- known as MyDoom, W32.Novarg.A@mm, Shimgapi or as a variant of the MiMail worm -- is an encrypted program that creates a mass-mailing of itself, which may clog mail servers or degrade network performance.
By avoiding federal sites and large software companies, the worm's author could be "attempting to get lead time before antivirus definitions" are written to block the worm, said Alfred Huger, senior director of engineering with Symantec Security Response, a unit of Symantec Corp. that tracks and responds to virus outbreaks. If the worm started attacking .mil and .gov e-mail addresses as well as antivirus vendors, then signatures could be written to thwart it much sooner, he said. Symantec and other leading antivirus vendors have pushed out software updates to customers to help protect against the worm.
A likely target appears to be The SCO Group, a provider of Unix software based in Lindon, Utah. SCO has stirred emotions in the Linux community by claiming that important pieces of the open-source operating system are covered by SCO's Unix copyright.
The worm is programmed to instruct infected PCs to send a flood of bogus traffic, or a denial-of-service attack, to SCO's Web server Feb. 1 through Feb. 12. The worm can also drop a backdoor program onto a PC, allowing an intruder to take control of the machine, Huger said.
Although Novarg is comparable to other mass-mailing worms such as Sobig and MiMail, the latest worm is "written a little more robustly," Huger said. Other worms require either a mail server to be present on a network or access to a Domain Naming Server to spread. This one "comes with both pieces of functionality written in it," he said.
Novarg arrives with an attachment with an .exe, .scr, zip, or .pif extension and a subject line of "Mail Delivery System," "Test" or "Mail Transaction Failed."