Mydoom Is Fastest Spreading Virus Ever

Mydoom surpasses Sobig.F to become fastest spreading virus ever, with 1 in 12 emails now infected.

British security firm MessageLabs is reporting that this week’s “Mydoom” worm has become the fastest spreading virus ever.

MessageLabs, reports it has intercepted more than 1.2 million copies of the new mass-mailer worm known as W32/Mydoom.A-mm and is seeing a peak infection rate of 1 in 12 emails. MessageLabs has issued a high-level alert for businesses.

The worm was first intercepted by MessageLabs on January 26th, 2004 at 8:03 a.m. ET and as of 9:00 a.m. ET January 27th, MessageLabs had stopped more than 1.2 million copies of the virus, while providing 100% protection against the virus for all of its 8,000 business customers worldwide who use the company’s anti-virus service.

In comparison, MessageLabs stopped 1 million copies of SoBig.F within the first 24 hours and recorded a peak infection ratio of 1 in 17email messages.

Since identifying the email containing the first copy of the Mydoom virus sent from Russia, MessageLabs has intercepted copies of the virus from messages in 168 countries.

“Sobig.F move over,” said Mark Sunner, chief technology officer at MessageLabs. “Mydoom has just surpassed Sobig.F as the fastest spreading virus ever. With a text file icon instead of graphics that lead people to believe it is innocuous, this virus appears to have hit a sweet spot in execution and propagation. Its success and back door Trojan component could further increase the prevalence of open proxies for nefarious purposes.”

General

Mydoom is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa.

The worm harvests addresses from infected machines and targets files with the following extensions: .wab, .adb, .tbb, .dbx, .asp, .php, .sht, .htm, .txt.

Mydoom also tries to randomly generate or guess likely email addresses to send itself to.

In addition, initial analysis suggests that Mydoom opens a connection on TCP port 3127, an indication of a remote access component.

Email characteristics

From: Random, spoofed email address

Subject: Random

Text: Various, including:

• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.

Attached file: Various, with extensions including .exe, .pif, .cmd, .scr. The attachment often arrives in a zip archive, and is also represented by what appears to be a text file icon, but is in fact an executable.

Size: 22, 528 bytes

Detection

MessageLabs detected all strains of this virus proactively, using its unique and patented Skepticâ„¢ predictive heuristics technology.

For more information please visit: www.messagelabs.com/intelligence