MyDoom predicted to be as bad as Sobig

Security companies have predicted that the Mydoom mass mailing virus would have as large an impact as last year's Sobig worm.

MessageLabs on Wednesday morning claimed it had already intercepted 1.7 million copies of the virus -- 100,000 every hour.

The peak infection rate was one in every 12 emails scanned and the virus is currently most active in Australia, the US and Canada, the security company said.

"W32/Mydoom has exceeded the infamous SoBig.F virus in terms of copies intercepted and the number continues to rise," the company said.

Mydoom propagates when a user opens an infected attachment. Once the attached message is opened, the virus will copy itself in the system directory, look for domain names on the machine and gather email addresses, to start generating a glut of infected email messages to valid recipients.

The virus also pieces different names and domain names together from a user's system to send out infected emails. "The end result is a significant amount of email emitting from infected machines on an ongoing basis," said Craig Schmugar, virus research manager with Network Associates' McAfee Avert Team.

"This virus just continuously keeps generating names and sending messages as long as the system is up."

Within four hours of identifying the virus, 27,000 machines were infected, Network Associates said.

The amount of infected emails received by McAfee's customers range from one in three being infected, to one in eight emails being infected, Schmugar said.

McAfee, Trend Micro, Sophos and other security vendors released patches for the virus, either last night or this morning, which can be downloaded from the vendors' Web sites.

US-based security solution provider Conqwest sent out an alert last night, and steered its customers to its own Web site or Sophos' and Trend Micro's to download the patch for MyDoom.

"It's crazy because what's happening is this virus is coming in so many different types of executable files and the messages are all different," said Michele Drolet, CEO of Conqwest.

Conqwest also sent out the following warning and explanation to its customers: "W32/MyDoom-A is a worm which travels by e-mail. The worm harvests e-mail addresses from your hard disk and uses randomly chosen addresses for both the 'to' and 'from' fields. This means that the 'from' address is spoofed and does not tell you where the mail really came from.

"W32/MyDoom-A arrives in e-mails with the following characteristics: 'Subject lines include: error, hello, hi, mail delivery system, mail transaction failed, server report, status, test.

"Attachment names include: body, data, doc, document, file, message, readme, test, and random collection of characters.

"Attachment extensions include: bat, cmd, exe, pif, scr and zip.

"W32/MyDoom-A attaches itself to e-mails in either EXE (Windows program) or ZIP (Zip archive) format.

"W32/MyDoom-A drops itself to your System folder under the name taskmon.exe. W32/MyDoom-A also drops a file named shimgapi.dll, which is a backdoor program loaded by the worm. The backdoor allows outsiders to connect to TCP port 3127 on your computer.

"W32/MyDoom-A adds the value: Taskmon = taskmon.exe to the following registry key:

HKLM%5CSoftware%5CMicrosoft%5CWindows%5CCurrentVersion%5CRun.

"This means that W32/MyDoom-A loads every time you log on to your computer."