05:29 PM PST on Tuesday, January 27, 2004

Associated Press

SAN JOSE, Calif. - Network administrators were working to stop a fast-spreading e-mail worm that looks like a normal error message but actually contains a malicious program that spreads itself and installs a program that leaves an open door to infected computers.

The worm - called "Mydoom," "Novarg" or "WORM - MIMAIL.R" - was replicating itself so quickly that some corporate networks were clogged with infected traffic within hours of its appearance Monday. Its mail engine could send out 100 infected e-mail messages in 30 seconds, experts said.

Security experts say it's the largest virus-like outbreak in months. One in every 12 messages contained the worm, according to MessageLabs Inc., which scans email for viruses.

A manager at a research company in Finland estimated that as many as 300,000-computers may have been hit worldwide.

The worm started spreading quickly during business hours in the United States Tuesday. Many previous outbreaks had started during Asian business hours, allowing anti-virus vendors to develop defenses by the time U.S. companies opened up shop.

It runs on computers running Microsoft Corp.'s Windows operating systems, though other computers were affected by slow network and a flood of bogus messages. About 3,800 infections were confirmed within 45 minutes of its initial discovery, according to the security firm Central Command.

"This has all the characteristics of being the next big one," said Steven Sundermeier, Central Command's vice president of products and services.

KING The computer virus attack was first noticed Monday afternoon.

It appeared to first target large companies in the United States - and their computers' large address books - and quickly spread internationally, said David Perry, global director of education at the antivirus software firm Trend Micro.

"As far as I can tell right now, it's pretty much everywhere on the planet," said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.

Unlike other mass-mailing worms, Mydoom does not attempt to trick victims by promising nude pictures of celebrities or mimicking personal notes. Instead, one of its messages reads: "The message contains Unicode characters and has been sent as a binary attachment." "Because that sounds like a technical thing, people may be more apt to think it's legitimate and click on it," said Steve Trilling, senior director of research at the computer security company Symantec.

Subject lines also vary but can include phrases like "Mail Delivery System" and "Mail Transaction Failed." The attachments have ".exe," ".scr," ".cmd" or ".pif" extensions, and may be compressed as a Zip file.

Besides sending out tainted e-mail, the program appears to open up a backdoor so that hackers can take over the computer later.

Symantec said the worm appeared to contain a program that logs keystrokes on infected machines. It could collect username and passwords of unsuspecting users and distribute them to strangers. Network Associates, however, did not find the keylogging program.

The worm also appears to deposit its payload into folders open to users of the Kazaa file-sharing network. Remote users who download those files and run them could be infected.

Symantec also found code that would flood The SCO Group Inc.'s Web site with requests in an attempt to crash its server, starting Feb. 1. SCO's site has been targeted in other recent attacks because of its threats to sue users of the Linux operating system in an intellectual property dispute. An SCO spokesman did not return a telephone call for comment Monday.

Microsoft offers a patch of its Outlook e-mail software to warn users before they open such attachments or prevent them from opening them altogether. Antivirus software also stops infection.

Christopher Budd, a security program manager with Microsoft, said the worm does not appear to take advantage of any Microsoft product vulnerability.

"This is entirely a case of what we would call social engineering - enticing users to take actions that are not in their best interest," he said.

Mydoom isn't the first mass-mailing virus of the year. Earlier this month, a worm called "Bagle" infected computers but seemed to die out quickly. So far, it's too early to say whether Mydoom will continue to be a problem or peter out, experts said.

"Over the next 24 to 48 hours, we'll have a much better sense," Trilling said. "Right now, the trend is only up."