E-mail worm infects computers at the U, rest of the Internet

The worm usually appears to be an e-mail error message.

A malicious program attached to seemingly innocuous e-mails spread quickly throughout the Internet and the University’s computing networks starting late in the day Monday and has continued today.

The program clogs network traffic and creates a backdoor entryway for hackers in infected personal computers.

The worm, called “Mydoom” or “Novarg” by antivirus companies, usually appears to be an e-mail error message. A small file is attached that, when launched on computers running Microsoft’s Windows operating systems, can send out 100 infected e-mail messages in 30 seconds to e-mail addresses stored in the computer’s address book and other documents.

“As far as I can tell right now, it’s pretty much everywhere on the planet,” said Vincent Gullotto, vice president of Network Associates’ antivirus emergency response team.

The University is not sure how many of its computers are infected, but as long as users are running up-to-date virus software, they should have little to worry about, said Ken Hanna, University security and assurance director.

The University uses Symantec virus protection software, which was last updated Monday night, Hanna said.

“If (students) do think they are infected, they should call the help desk,” he said.

The number is (612) 301-HELP.

Deciphering the program

Security software experts were scrambling to decrypt the details of the malicious program and were arriving at different conclusions.

Symantec, an antivirus company, said the worm appeared to contain a program that logs keystrokes on infected machines. It could collect username and passwords of unsuspecting users and distribute them to strangers.

Network Associates did not find the key-logging program.

The worm also appears to deposit its payload into folders open to users of the Kazaa file-sharing network. Remote users who download those files and run them could be infected.

“This has all the characteristics of being the next big one,” said Steven Sundermeier, Central Command’s vice president of products and services.

Attacking companies first

The worm appeared to first target large companies in the United States and their large address books but quickly spread internationally, said David Perry, global director of education at the antivirus software firm Trend Micro.

Unlike other mass-mailing worms, Mydoom does not attempt to trick victims by promising nude pictures of celebrities or mimicking personal notes. Instead, one of its messages reads: “The message contains Unicode characters and has been sent as a binary attachment.”

“Because that sounds like a technical thing, people may be more apt to think it’s legitimate and click on it,” said Steve Trilling, Symantec’s senior director of research.

Subject lines also vary. The attachments have “.exe,” “.scr,” “.cmd” or “.pif” extensions, and might be compressed as a Zip file.

Microsoft offers a patch of its Outlook e-mail software to warn users before they open such attachments or prevent them from opening them altogether. Antivirus software also stops infection.

Mydoom is not the first mass-mailing virus of the year. Earlier this month, a worm called “Bagle” infected computers but seemed to die out quickly. So far, it is too early to say whether Mydoom will continue to be a problem or peter out, experts said.

“Over the next 24 to 48 hours, we’ll have a much better sense,” Trilling said. “Right now, the trend is only up.”

– Staff reporter Amy Horst and The Associated Press contributed to this report.