‘Round and ‘Round We Go

This is getting monotonous. New variants of the same old worms are spreading, and Microsoft is patching the patches.

MyDoomIn late July another variant of the MyDoom worm began circulating on the Internet. You may have received e-mail alerts stating that a virus came from your e-mail address, but that wasn’t really any indication that your computer was infected. However, the message carried with it a small attachment that, when opened, would infect your PC. As is the case with most of the recent e-mail viruses and worms, the sender's return address was forged, so the true identity couldn’t be determined.

This ability to forge the return address is the reason you can receive so many bogus e-mails about these worms. When the virus or worm displays a different e-mail address from that of the actual sender of the infected e-mail, it makes it very difficult to identify the true sender of the virus, or even to notify them that their computer is infected. Then when such an e-mail is detected by the anti-virus system at the mail gateway of an Internet service provider or on the computer that receives the infected e-mail, an automated warning message concerning the infection is often sent back to the address that is indicated as the sender of the infected message - even when the e-mail was NOT really sent from their address.

You’ll avoid infecting your PC if you delete the message and attachment immediately without opening it. Macintosh users who receive such messages are unaffected by this threat, but should also delete them. If you’ve inadvertently opened any questionable attachments (on PC only) and believe that your PC has become infected, a removal tool is available from vil.nai.com/vil/stinger or securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html.

According to ZDNet News, MyDoom was clogging e-mail accounts around the world Monday July 26th with messages posing as either a returned mail notice or an alert from an IT administrator. McAfee officials warn that the bounced mail spoofs posing as a corporate IT message were realistic enough to fool many workers, and Symantec categorized it as a level 4 “Severe” threat because of its rapid distribution.

In addition to infecting your computer and e-mailing itself to other machines, all versions of MyDoom open a backdoor that makes your machine vulnerable to future attacks. This last MyDoom mass-mailing worm drops and executes a backdoor that is detected as Backdoor.Zincite.A, which listens on TCP port 1034. Then the worm uses its own SMTP engine to send itself to e-mail addresses that it finds on the infected computer, using a spoofed (forged) return address.

The latest version of MyDoom is unique because it uses Internet search engines to find more recipients for its message. Normally the addresses are collected from the local PC’s Windows Address Book, MSN Messenger Buddy list, Outlook Express mailboxes and files with the extensions .WAB, .HTM, .HTML, or .TXT. In addition, this one also searches Altavista, Google, Lycos, and Yahoo for additional e-mail addresses within the domain of e-mail addresses found locally (for example, if it finds user@domain.com, it searches for additional addresses that end in @domain.com).

Google Error

While there’s no evidence that a denial of service was the purpose of the virus, Google and Lycos experienced significant problems as a result of the large number of queries caused by MyDoom infected systems. Researchers believe that the main goal may have been to collect valid e-mail addresses for spammers. Some of the messages claimed to be a bounce caused by a message the user had sent earlier, while others appeared to be a message from the user’s ISP claiming that the user sent spam and should run the attached file. The infected attachment may be zipped, a plain executable or a screen saver (.scr).

MyDoom creates the executable files C:\Windows\services.exe and java.exe, and executes them. A log file is also created, C:\Documents and Setting\Locals~1\Temp\zincite.log. All antivirus vendors have released updates to their signature files to recognize this version of MyDoom, usually identified as ‘M’ or ‘O’.

They’re Busy in Redmond

E-mail updatesThe changes made by Microsoft in response to all this include an e-mail notification service, an unprecedented number of security updates followed by an out-of-cycle patch release, worm detection and removal tools, and free support for virus-related issues. They apparently recognize that keeping up with all the security breaches for Microsoft products has become a daunting task for end users, and will now send you the latest security information. The necessary steps to subscribe to the new service are the following:

  1. Compose an e-mail to microsoft_security-subscribe-request@announce.microsoft.com. The subject line and the message body are not used to process the subscription request, and can be anything you like.
  2. Send the e-mail.
  3. When you receive a response from them asking you to verify that you really want to subscribe, compose a reply putting OK in the message body, and send it.
  4. You’ll receive two e-mails after that, one telling you that you’ve been added to the subscriber list, and the other with more information about the notification the service and its purpose.

Bulletins Released in 2004

Security Bulletins are issued once Microsoft has an update ready to address the vulnerability that has previously been identified. To give you an idea just how bad the problem has gotten, here is a comparison of Windows Security Bulletins released this year. For July, three of them are judged to be “Critical” issues, four are “Severe,” and one is a “Moderate” threat.

July: MS04-018, MS04-019, MS04-020, MS04-021, MS04-022, MS04-023, MS04-024, MS04-025 (www.microsoft.com/security/bulletins/200407_windows.mspx)

June: MS04-016 (www.microsoft.com/security/bulletins/200406_windows.mspx)

May: MS04-015 (www.microsoft.com/security/bulletins/200405_windows.mspx)

April: MS04-011, MS04-012, MS04-013, MS04-014 (www.microsoft.com/security/bulletins/200404_windows.mspx)

March: MS04-008 (www.microsoft.com/security/bulletins/200403_windows.mspx)

February: MS04-004, MS04-006, MS04-007 (www.microsoft.com/security/bulletins/200402_windows.mspx)

January: MS04-003 (www.microsoft.com/security/bulletins/200401_windows.mspx)

If you have Windows 2000 or XP and you’re far behind on patches, you should either collect the updates on another PC and apply them off-line, or at least apply the patch for the Sasser worm first to keep the PC from shutting down while you’re trying to patch it. You can check your PC for the presence of Sasser at www.microsoft.com/security/incident/sasser.mspx, and download the patch for your operating system from the links on the page at www.microsoft.com/technet/security/bulletin/MS04-011.mspx, Microsoft Security Bulletin MS04-011, Security Update for Microsoft Windows (835732).

Removal Tool from Microsoft

Microsoft posted its first multipurpose Worm Removal Tool (KB836528) for Mydoom, Zindos, and Doomjuice at www.microsoft.com/downloads/details.aspx?familyid=c14bfbe4-3d50-464d-a26c-9c287f8a08c5&displaylang=en. This tool (version 4, released 7/29/04) helps to remove the Mydoom.A, Mydoom.B, Mydoom.E, Mydoom.F, Mydoom.G, Mydoom.J, Mydoom.L, Mydoom.O, Zindos.A, Doomjuice.A, and Doomjuice.B worms from infected systems. If a machine is infected with the Mydoom.B worm, the tool also provides the user with the default version of the hosts file and sets the “read-only” attribute for that file, to enable the user to visit previously-blocked Microsoft and antivirus Web sites.

Microsoft points out that the user must be an administrator to run this tool, and the following limitations

“This tool will not:

  • Detect or remove any viruses or worms other than Mydoom.A, Mydoom.B, Mydoom.E, Mydoom.F, Mydoom.G, Mydoom.J, Mydoom.L, Mydoom.O, Zindos.A, Doomjuice.A, and Doomjuice.B
  • Detect or remove future variants of Mydoom, Zindos, or Doomjuice
  • Prevent a machine from being re-infected with Mydoom if, for example, an infected e-mail attachment is re-executed
  • Detect or remove malware that exists on a system as a result of the backdoor component created by a Mydoom variant, besides Zindos.A, Doomjuice.A and Doomjuice.B
  • Delete any e-mail that contains a Mydoom variant
  • Run on any version of Windows NT 4.0”

Free SupportThe biggest surprise is that Microsoft has set up a toll-free number for US and Canada (1-866-PCSAFETY) to provide virus-related support at no charge.

Beverly Rosenbaum, a HAL-PC member, is a 1999 and 2000 Houston Press Club “Excellence in Journalism” award winner. She can be reached at trumors@hal-pc.org.