E-mail worm floods systems; outbreak seen just beginning

Data security experts worldwide went into crisis mode as the first major computer worm outbreak of 2004 pummeled e-mail systems with millions of malignant messages.

The worm, codenamed Mydoom or Novarg, was first detected yesterday afternoon, but within hours had begun flooding the Internet. "It's the worst that we've ever seen," said Jimmy Kuo, a McAfee Fellow at Network Associates Inc., maker of McAfee antivirus software, "We have reports from four of the Fortune 500 companies that they are infected," Kuo said, adding that the Mydoom outbreak had forced a major company to shut down its e-mail service. He declined to name the affected company.

The Mydoom outbreak comes almost exactly one year after the outbreak of SQL Slammer, at the time considered the fastest-spreading computer worm ever. First unleashed in Hong Kong, Slammer brought down large segments of the global Internet in less than one hour. Later in the year, the SoBig and Blaster worms wrought similar havoc.

As with last year's fast-spreading worms, the Mydoom worm directly attacks only computers running Microsoft Corp.'s Windows operating systems. However, the torrents of e-mail sent out by infected machines can swamp computers on the receiving end, no matter which operating system they use.

The worm collects e-mail addresses from infected computers and sends copies of itself to unsuspecting recipients. Each infected e-mail contains a randomly generated subject line and an attached file. A user who activates the attachment will infect his own machine, which in turn will send out still more copies of the worm.

In addition, researchers at computer security firm Symantec Inc. reported that Mydoom-infected machines may carry out "denial of service" attacks specifically targeting the website of the SCO Group, a Utah software company which has launched a legal campaign against companies using the Linux operating system. SCO Group has been the target of several such attacks since it sued IBM Corp., claiming that IBM had illegally incorporated SCO software into Linux. In a denial of service attack, multiple computers hit a target with a constant stream of data that overwhelms the target system, knocking it out of service.

By late yesterday, antivirus companies were posting updates to their software that can detect Mydoom and prevent infection. They were also issuing instructions on how to clean up compromised computers.

To avoid infection, computer users should never open a file attached to an e-mail, even if the mail appears to come from someone they know. Contact the person first, and confirm that they sent the message. Some of the common Mydoom attachment extensions are ".exe," ".scr," ".cmd" or ".pif"; the worm may also be compressed as a zip file, with a ".zip" extension. Consumers should also update their antivirus software and scan all incoming messages and attachments.

Yet despite the countermeasures taken by individuals and companies, Kuo of Network Associates warned that the Mydoom outbreak is only beginning. "Viruses generally take a day or two before they reach their peak and start to slow down," he said. "We expect it's going to be pretty bad."

Hiawatha Bray can be reached at bray@globe.com.