anchor link to jump to start of content

The Seattle Times Company NWclassifieds NWsource Business and Technology Home delivery Contact us Search archives
Your account  Today's news index  Weather  Traffic  Movies  Restaurants  Today's events

Wednesday, January 28, 2004 - Page updated at 12:00 A.M.

Weekly interest and loan rates | Northwest stock contest 2004

Tax tips | Consumer affairs | Home values

Q & A: New worm has typical error message as disguise

By Kim Peterson
Seattle Times technology reporter

E-mail E-mail this article
Print Print this article
Print Search archive
An e-mail worm called Mydoom spread rapidly throughout the Internet this week, filling inboxes with nonsense messages and causing some companies to shut down their e-mail systems. But the worm is not as cataclysmic as its name might suggest, unless you're a Utah software company called SCO Group.

Here are answers to some common questions about Mydoom, also known online as Novarg and Mimail.R.

Q. What is this thing?

A. Mydoom is an Internet worm that spreads through e-mail, arriving in messages with various subject lines, message contents and attachment file names. Some of the subject lines include "Server Report" or "Mail Transaction Failed." A typical message says something like, "This message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

The worm is cleverly disguised to appear as a normal error message, and an unsuspecting e-mail user could inadvertently activate it. The message contains a harmful attachment that, when opened, begins to replicate itself and spread to other computers.

The worm can also spread through the file-sharing program KaZaA.

Q. What machines are vulnerable?

A. The worm runs on most versions of Microsoft's Windows operating system, including Windows 95, 98, ME, NT, 2000 and XP. Macintoshes are not affected.

Q. What does it do?

A. If activated, usually when a person clicks on the attachment, the worm copies itself onto the computer and sends itself to e-mail addresses it finds stored on the user's PC. It also opens up a port that could allow remote users to access the computer.

With the worm's code is a command directing computers to visit, the Web site of The SCO Group, a Lindon, Utah, software company, from Feb. 1 to 12. The idea is to flood the site with so much traffic that it shuts down the system in what is called a denial-of-service attack.

Q. How do I know if I've been infected?

A. This is a tough one. Most viruses and worms don't have any visual indication, said David Perry, global director of education at antivirus company Trend Micro. He said the best way to detect the worm is to get a virus scanner and scan your system. Do not hunt through your program files for anything that looks suspicious, because you might delete something your computer actually needs.

Q. How do I get rid of the worm?

A. Get an anti-virus program for your computer. If you already have one, make sure it's updated with the latest fixes for this worm and other recent computer bugs. Anti-virus software makers have posted updates that will squash Mydoom.

Q. Who created this and where did it come from?

A. Worm authors are very clever when it comes to concealing their identity, and so far, whoever developed Mydoom is keeping quiet. According to one company tracking the worm, it seems it came out of Russia.

Q. Why pick on The SCO Group?

A. No one knows the author's motivation. But SCO is none too popular with members of the open-source software community, mainly because of its recent legal moves. SCO claims it owns part of the underlying code in the Linux open-source operating system and is suing IBM for allegedly adding that code to Linux. Business Week recently called SCO "The Most Hated Company in Tech." SCO announced yesterday it is offering a $250,000 reward for information leading to the arrest and conviction of Mydoom's creator.

Q. How does the worm spread on KaZaA?

A. The music industry might be just a little gleeful that the worm is spreading in part over KaZaA, a file-sharing network where tunes are illegally swapped. Although songs are what's typically shared on KaZaA, just about any digital file can be swapped, including worms. Mydoom copies itself to a user's "My shared folder" on KaZaA, which then leaves it available to be spread over KaZaA's network of users.

Q. Shouldn't my spam filters protect me from this?

A. No, because these are legitimate e-mails in that they are being sent from a person's computer to e-mail addresses on file in that computer. Spam filters can't tell the difference, according to Steven Sundermeier, an executive at antivirus company Central Command, which has given Mydoom a "high-risk" rating.

Q. How does Mydoom compare with other e-mail worms?

A. Sundermeier said yesterday Mydoom's reach is continuing to grow; in its first 24 hours, it spread about as quickly as Sobig-F, one of the biggest worms in 2003. Millions of Mydoom e-mails were circulating yesterday, and Sundermeier said about 450,000 machines worldwide have likely been infected so far. Computers in the United States, Canada and most of Europe were affected, he said.

Q. What lessons are there from this?

A. Perry at Trend Micro said he never opens an e-mail attachment unless he's expecting it. That might be a little extreme, but it's the safest bet. Another strategy is to contact the sender before you open an attachment to make sure the file is legitimate. In this age of scams, spam, worms and bugs, follow a new golden rule: Don't indiscriminately click on things, as tempting as it may seem. "Really, just stop clicking on stuff," Perry said. "Just stop."

Kim Peterson: 206-464-2360

Copyright © 2004 The Seattle Times Company

More business & technology headlines


Today Archive

Advanced search

advertising home
Home delivery | Contact us | Search archive | Site map | Low-graphic
NWclassifieds | NWsource | Advertising info | The Seattle Times Company


Back to topBack to top