Greg Hewgill (ghewgill) wrote,
Greg Hewgill

another new email worm

Looks like we're in for another round of an email worm. I last wrote about sobig.f when it ended back in September. This new one appears to have been named W32/Mydoom@MM.

So far today I've received over 500 copies of this worm. It has a typical default spamassassin score of 3.0, which is well under the default 5.0 threshold. Those sent with a randomly selected subject line of "Hello" score an extra 2.5 points with spamassassin, pushing them over the threshold. Greylisting appears to have little effect for me, possibly because I'm using a simplified implementation called qgreylist that will more readily let a sender through if they happen to be sending to multiple recipients at a domain.

This worm spreads by claiming to have been sent "as a binary attachment" for some technical-sounding but bogus reason. Susceptible users will open the attachment, which may be inside a zip file, and unwittingly execute the worm code. Once it's executed, it copies itself to various places on your hard drive and injects itself into the startup sequence.

As usual, mydoom sends messages with randomly collected From and To addresses, so if you receive one of these, the person listed in the From field is unrelated to the person whose computer sent you the message. Furthermore, if the email address in the To field does not exist (which is common for this worm because it randomly constructs new email addresses on the fly), the user at the From address will receive a bounce message claiming that they sent a virus.

I've been looking for something unique about the worm emails that I can use to construct a filter to identify them. I thought I had something workable, but realized that the worm messages are carefully crafted to look exactly like a message created by Outlook Express. Even messages from my dad would have triggered the filter I was working on. So, back to the drawing board. I'm working on a different filter now.

Symantec's report (they call this worm W32.Novarg.A@mm) claims that the worm will automatically stop spreading on February 12, 2004. There is no mention of any attempt at time synchronization like there was with the sobig variants, so it is possible that this may continue to propagate from computers with misconfigured clocks beyond its built-in termination date.

Email will be useless tomorrow for a lot of people out there, I think.
Tags: spam

  • partial solar eclipse

    Today there was a partial solar eclipse visible from Austin. It started at 16:17 and ended at 17:59 local time, so I brought my telescope to work…

  • lunar eclipse

    Last year I was disappointed to have missed an opportunity to photograph a lunar eclipse (I ended up getting some lightning pictures the next day…

  • change is unexpected

    While digging through the change in my car for lunch, I noticed a coin that shouldn't be there. Somehow I got a 5 pence piece as change at some…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded