In the few short days since the Mydoom virus appeared on 26 January it has become the fastest spreading virus ever. But what is it, where did it come from and what can you do about it?
If you see messages like this, delete them
Q: I've heard a lot about Mydoom. What is it?
Mydoom is the latest in a long line of viruses or malicious programs that exploit Microsoft products.
This virus uses loopholes in Outlook and plunders its address book looking for e-mail addresses to send itself to. Mydoom is also known as Novarg or Mimail-R. You may have seen e-mail messages turning up in your inbox bearing its signature subject lines (see box below).
The subject lines make the malicious mail look like an error message with the text of the supposedly wrongly sent message in an attachment. Many people have clicked on the attachment to find out which of their messages has not got through and thereby inadvertently infected their machine.
Q: So, just how virulent is it?
Very, perhaps the fastest spreading virus ever. According to mail filtering firm MessageLabs the virus at its height was making up 1 in 12 of all e-mail messages. The former fastest virus, Sobig-F, only managed to reach 1 in every 17 mail messages. In only two days Messagelabs has caught almost 4.6m copies of the program.
Finnish anti-virus firm F-Secure has declared it the worst e-mail worm ever and said the virus was responsible for up to 30% of all e-mail traffic.
MYDOOM SUBJECT LINES
mail delivery system
mail transaction failed
This figure includes messages created by the virus itself, systems automatically responding to the arrival of the message and angry e-mails from people telling others that they are sending out infected mail. As the virus spoofs the sender of any e-mails it sends these messages just generate more traffic.
The virus was thought to have originated in Russia and has now spread to almost 200 countries. It spread swiftly because it was released during the US working day and quickly found its way through corporate networks.
Q: What does Mydoom do to an infected machine?
It plunders your Outlook address book for new addresses to send itself to and then uses its own internal e-mail engine to despatch them. The virus tries to hide its spread by avoiding e-mail addresses of many anti-virus and security firms as well as government and military agencies.
Mydoom also tries to stop PCs contacting the websites of anti-virus companies to get the latest updates to anti-virus software.
MYDOOM MESSAGE TEXT
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
More worryingly the virus opens up a backdoor on infected machines that can be exploited by anyone with the right tools and know-how. Already security firms have reported an increase in scanning for infected machines which suggests someone is preparing to use these machines for another purpose.
The virus, and the Mydoom.b variant, are also programmed to launch so-called Denial of Service attacks on selected websites after 1 February. The original Mydoom worm targets the website of software firm SCO and the new version is programmed to bombard the Microsoft website with bogus data early next month.
Q: What can I do to protect myself?
Quite a lot.
Regularly update your anti-virus software particularly during outbreaks of this magnitude. Run a virus scanner to see if your system is infected and remove any malicious programs you find. If you have a broadband connection use a personal firewall to close the backdoors that some malicious programs install on your PC.
Be suspicious of e-mail from people that you do not regularly correspond with, especially if the mail message arrives with a file attached. If you get any files bearing suspect subject lines delete them without opening. During a big outbreak it might be worth turning off the preview pane in Outlook.
MYDOOM ATTACHMENT NAMES
Q: How do I know I am infected?
You might not know at all as the virus uses its own e-mail engine to send off infected messages. You might be infected if you have clicked on an attachment and did not get what you expected such as a zip file or a screensaver. However, anti-virus scanners will be able to pick up infections and if you are unsure you should run one of these on your machine to make sure it is clean.
Lots of anti-virus firms have produced tools that will help you clean up an infected PC.