A new variant of the Mydoom worm began making its way around the Internet last Friday, and this particularly nasty worm has already caused a great deal of damage to users—including iSeries shops—thanks to its ability to delete files. W32/Mydoom.f@MM, or simply Mydoom.F, is a mass-mailing and share-hopping worm based upon the original Mydoom code. The second variation, Mydoom.B, dropped the worm’s code making it readily available to virus writers. Experts believe that Mydoom.F originates from a different author than the original.

Like earlier variants of Mydoom, this new worm launches distributed denial of service (DDoS) attacks, this time against Microsoft and the Recording Industry Association of America (RIAA). In addition, Mydoom.F searches for and deletes files on local and mapped drives. Primarily the worm targets images files and Microsoft Word and Excel documents and searches for extensions .bmp, .avi, .jpg, .sav, .xls, .doc, and .mdb. The worm runs in a loop and deletes additional files on each pass.

Mapped drives need not be physically located on the infected system in order to be affected by Mydoom.F. Drives located on other platforms that can house Windows files can be equally affected.

Bytware, Inc., the Reno, Nevada-based developer of StandGuard Anti-Virus for the IBM eServer iSeries, has been contacted by several iSeries shops that have suffered data loss caused by Mydoom.F infection of networked PCs. The iSeries is generally viewed as invulnerable to viruses. A common practice of scanning the iSeries with a Windows PC through a mapped drive can open a door for worms and viruses to the iSeries.

In addition to file deletion and DDoS attacks, the Mydoom.F worm opens TCP port 1080, and additional ports in the range of 3000 to 5000, in an attempt to allow the author access to infected machines.

Mydoom.F arrives as an e-mail attachment of a variety of files types, including .zip. Upon identifying shared or mapped drives, the worm makes copies of itself as .zip archives or .exe files in different directories using random file names. It also propagates by harvesting e-mail addresses from infected systems and mass mailing itself using its own SMTP engine.

Most AV vendors have added definitions for Mydoom.F and experts urge users to update their anti-virus software and to protect all systems, including non-Windows platforms that may act as file servers and are attached to Windows PCs via mapped drives.

For more information about Mydoom.F, visit the Network Associates Virus Information Library at http://vil.nai.com/vil/content/v_101038.htm

For more information about iSeries anti-virus protection, visit the main StandGuard Anti-Virus page.

As the original Mydoom worm (W32/Mydoom@MM) continues to spread at blazing speeds around the world, a second variant has been unleashed and is adding to the already overwhelming bandwidth consumption worldwide. In another twist that may have been unexpected by many IT administrators, Mydoom has also hit the iSeries. While the payload of these worms does not directly affect OS/400, a lack of anti-virus protection on the iSeries allows the worm to enter through OS/400 mail and reside in files stored on the iSeries.

StandGuard Anti-Virus, the award-winning anti-virus solution that runs natively on OS/400, has been detecting and removing copies of Mydoom found on the iSeries, according to Bytware customers. StandGuard Anti-Virus is powered by the McAfee scanning engine from Network Associates, rated the top scanning engine by the University of Hamburg Virus Test Center for three consecutive years.

Mydoom can enter the iSeries either through mail that passes through OS/400 or by copying itself to the iSeries from a client PC without the user’s knowledge. Only active scanning of the iSeries can detect the worm once it finds its way onto the system. Leaving the worm undetected can spread the infection to client PCs on your network as well as to other companies and networks with which you exchange information.

Experts say that the best way to fight Mydoom is through the use of standard anti-virus solutions. “Companies that are following recommended practices relating to secure e-mail use should be largely protected against the Mydoom virus and its variants,” explain experts in a new article on Computerworld’s Security website. These practices include vigilantly maintaining up-to-date virus definitions. iSeries security experts, including Carol Woodbury and Patrick Botz, recommend that administrators apply the same virus prevention procedures to their iSeries systems that they apply to their other platforms as a general security best practice.

More about Mydoom

The Mydoom worm has been labeled the most prolific worm ever by some security experts according to an article at SearchSecurity.com. It has shattered the records set in 2003 by the Sobig.F virus, and a new CNN article cites infection rates as high as one in three e-mails. Sobig.F peaked at an infection rate of 1 in 17 e-mails. British security firm MessageLabs reports that they have caught 1.8 million copies of Mydoom in more than 168 countries as of Wednesday, January 28. StandGuard Anti-Virus users are also reporting infections appearing on the iSeries.

The worm is particularly difficult to manage as it utilizes new techniques called “social engineering.” Using these techniques, virus writers attach their work to mail that appears to be a machine-generated error message. The idea is that users trust messages that they believe were generated by a computer as they are accustomed to receiving such messages from administrators and mail servers, especially in corporate settings.

Mydoom arrives as an attachment that can carry one of a number of different file extensions, some of which are routinely allowed by companies including the ZIP format. Many report an attachment that appears to be a text document, but has 60 spaces between the .txt and .exe extensions, preventing users from seeing the true file type. Many users view text documents as innocuous. Security experts say that these techniques are convincing many users who are normally very cautious to open and execute the worm. Mydoom also attempts to spread through file sharing services such as Kazaa if the software is found on an infected system.

The purpose of Mydoom appears to be multifaceted. Both variants target SCO, the Utah-based software company embroiled in a legal battle with IBM over Linux, for a denial of service attack (DOS) on Sunday, February 1, and install a key logger that captures any text entered into the computer, including credit card numbers and passwords. The worms also open ports on the infected system, including ports 80, 1080, 3127, 3128, 8080, and 10080, and can allow the attacker to gain complete control of the computer. The Mydoom.B variant also targets Microsoft for a DOS attack on Tuesday, February 3, and modifies systems to prevent them from utilizing anti-virus software or accessing security websites.

Mydoom is also know as Novarg, Shimgapi, and Mimail.R.

Learn more in the Midrange Server, Four Hundred Stuff article by Alex Woodie.