An eMail worm that looks like a normal error message but actually contains a malicious program continued to snarl computers around the world Jan. 27. Security experts described it as the largest virus-like outbreak in months, one made even more troublesome by its timing.

MessageLabs Inc., which scans eMail messages for viruses, said one in every 12 messages sent on Tuesday contained the worm, called “Mydoom” or “Novarg.”

The worm began spreading rapidly Jan. 26 during business hours in the United States, where the world’s computers are concentrated. Many recent outbreaks began during Asian business hours–overnight in the United States–allowing antivirus vendors to develop new defenses by the time U.S. companies opened.

“Whenever a virus begins to start in the states, it usually becomes much bigger,” said Vincent Gullotto, an antivirus researcher at Network Associates Inc.

Some school and corporate networks were clogged with infected traffic within hours of the worm’s appearance, and operators of many systems voluntarily shut down their eMail programs to keep the worm from spreading during the cleanup.

Mikko Hypponen, manager of anti-virus research at F-Secure Corp. in Finland, estimated that 200,000 to 300,000 computers were hit worldwide.

The worm infects computers using Microsoft Corp.’s Windows operating systems, though other computers were affected by network slowdowns and a flood of bogus messages.

Unlike other mass-mailing worms, Mydoom does not attempt to trick victims by promising nude pictures of celebrities or mimicking personal notes. Instead, one of its messages reads: “The message contains Unicode characters and has been sent as a binary attachment.”

“Because that sounds like a technical thing, people may be more apt to think it’s legitimate and click on it,” said Steve Trilling, senior director of research at the computer security company Symantec Corp.

Besides sending out tainted eMail, the program appears to open up a backdoor so hackers can take over the computer later.

Hackers, for instance, could later install programs that log keystrokes on infected machines, collecting username and passwords of unsuspecting users and distributing them to strangers. Symantec, however, backed away from earlier statements that such a program was included with the worm.

The worm also places copies of itself in folders used for sharing files through the Kazaa file-sharing network. Remote users who download those files and run them could be infected. Security experts say the spread through Kazaa is minor compared with eMail.

The worm also was programmed to flood the web site of The SCO Group Inc. beginning on Feb. 1 with service requests in an attempt to bring the company’s network down. SCO’s site has been targeted in other recent attacks because of its threats to sue users of the Linux operating system in an intellectual property dispute.

Microsoft offers a patch of its Outlook eMail software to warn users before they open such attachments or prevent them from opening them altogether. Up-to-date antivirus software also stops infection.

Christopher Budd, a security program manager with Microsoft, said the worm does not appear to take advantage of any Microsoft product vulnerability.

“This is entirely a case of what we would call social engineering–enticing users to take actions that are not in their best interest,” he said.

Mydoom isn’t the first mass-mailing virus of the year. Earlier this month, a worm called “Bagle” infected computers worldwide and even infiltrated a popular Department of Education (ED) listserve, but that worm seemed to die out quickly. ED said its virus-detection software neutralized the Bagle worm automatically by removing it from infected messages before they reached recipients.


Microsoft security tips