New Mass Mailing Worm - W32/Mydoom@MM or W32.Novarg.A@mm
High Outbreak of New Mass Mailing Worm
McAfee calls it the W32/MyDoom@mm worm. Symantec has labeled it W32.Novarg.A@mm. Whatever it's called, it's nasty and it's spreading rapidly. Here's what you need to know:
The email address it appears to come from is spoofed. In the last hour, we've received over 30 of the infected emails -- all appear to have come from various financial institutions. Plus, we've gotten several return delivery failure notifications from entities who have received infected emails that spoof our return email address. These say "The contents of this message are corrupt. We cannot view this message."
The "Subject" line of the infected emails is random. This means it could say anything. Couple that with the fact that it may look like it is coming from a trusted source, and you've got trouble.
The email carries with it an attachment. In many of the cases, the attachment is a zip file, but it may also be an exe file, pif, cmd, or scr.
Once your machine is infected, the worm opens a connection on TCP port 3127. This may indicate that it is attempting to attain remote access.
Because this worm was just discovered January 26, 2004, the virus protection companies are still doing tests on it to determine what its payload is and other details.
Be sure your virus protection is up to date.
FOR MORE INFORMATION:
McAfee Information on this Worm
Symantec Information on this Worm
First published on BankersOnline.com 01/26/04
First published on 01/26/2004