Mydoom worm spreading rapidly

An e-mail worm is rapidly spreading on the internet, clogging e-mail servers and staging an attack on the website of Unix...

An e-mail worm, Mydoom,  is rapidly spreading on the internet, clogging e-mail servers and attacking the website of Unix supplier the SCO Group.

The worm has been given several names by anti-virus software suppliers, including Mydoom, Novarg and Mimail.R.

Experts have agreed that it is spreading faster than Sobig-F, the worm that topped the charts for the most widespread e-mail worm last year.

"It has been moving very quickly for the past three hours and has been generating a hell of a lot of e-mail," said Vincent Gullotto, vice-president of the Anti-Virus Emergency Response Team at Network Associates. Some businesses have shut down their e-mail gateways to block the worm, he added.

This worm has taken off like a rocket, with more than 20,000 interceptions within just two hours of it being discovered, said Ken Durham, director of malicious code at internet security company iDefense.

The worm arrives as an e-mail with an attachment that can have various names and extensions, including .exe, .scr, .zip or .pif. The e-mail can have a variety of subject lines and body texts, but in many cases it will appear to be an error report stating that the message body cannot be displayed and has instead been attached in a file, experts said.

"This is something you might see from a mail system, so you click on the attachment," said Sharon Ruckman, senior director for Symantec Security Response.

Both Network Associates and Symantec agree that when the attached file is executed, the worm scans the system for e-mail addresses and starts forwarding itself to those addresses.

If the victim has a copy of the Kazaa file-sharing application installed, it will also drop several files in the shared files folder in an attempt to spread that way.

Symantec also identified more malicious acts. The worm will install a "key logger" that can capture anything that is entered, including passwords and credit card numbers, Ruckman said.

Furthermore, the worm will start sending requests for data to, which could result in the website going down if enough requests are sent, she said.

SCO has noticed that its website performance has intermittently slowed intermittently.

"It may be showing the early stages of a DOS attack," said SCO spokesman Blake Stowell.

SCO has enraged the open-source community by claiming that the Linux operating system contains software that violates SCO's intellectual property, and has been the subject of various attacks on its website.

Anti-virus software suppliers urge users to update their anti-virus software and be careful when opening e-mail attachments.

Joris Evers writes for IDG News Service

Read more on IT risk management