Date: 2004-01-27 00:07:00
Tags: spam
another new email worm
Looks like we're in for another round of an email worm. I last wrote about sobig.f when it ended back in September. This new one appears to have been named W32/Mydoom@MM.

So far today I've received over 500 copies of this worm. It has a typical default spamassassin score of 3.0, which is well under the default 5.0 threshold. Those sent with a randomly selected subject line of "Hello" score an extra 2.5 points with spamassassin, pushing them over the threshold. Greylisting appears to have little effect for me, possibly because I'm using a simplified implementation called qgreylist that will more readily let a sender through if they happen to be sending to multiple recipients at a domain.

This worm spreads by claiming to have been sent "as a binary attachment" for some technical-sounding but bogus reason. Susceptible users will open the attachment, which may be inside a zip file, and unwittingly execute the worm code. Once it's executed, it copies itself to various places on your hard drive and injects itself into the startup sequence.

As usual, mydoom sends messages with randomly collected From and To addresses, so if you receive one of these, the person listed in the From field is unrelated to the person whose computer sent you the message. Furthermore, if the email address in the To field does not exist (which is common for this worm because it randomly constructs new email addresses on the fly), the user at the From address will receive a bounce message claiming that they sent a virus.

I've been looking for something unique about the worm emails that I can use to construct a filter to identify them. I thought I had something workable, but realized that the worm messages are carefully crafted to look exactly like a message created by Outlook Express. Even messages from my dad would have triggered the filter I was working on. So, back to the drawing board. I'm working on a different filter now.

Symantec's report (they call this worm W32.Novarg.A@mm) claims that the worm will automatically stop spreading on February 12, 2004. There is no mention of any attempt at time synchronization like there was with the sobig variants, so it is possible that this may continue to propagate from computers with misconfigured clocks beyond its built-in termination date.

Email will be useless tomorrow for a lot of people out there, I think.
Greg Hewgill <greg@hewgill.com>