Panda Software Announces that the Mydoom.A epidemic is not letting up

Panda Software Announces that the Mydoom.A epidemic is not letting up Glendale, CA - January 29, 2004 - Mydoom.A is still spreading rapidly. One in every five e-mails is carrying this worm, making four million infected e-mails currently in circulation. “Mydoom.A is not reaching higher rates because of the security measures that companies have adopted after being infected”, explains Luis Corrons, director of PandaLabs. “But” he adds “it isn’t stopping either, as it is now attacking companies without protection that survived the first wave of infected messages.” • Four million e-mails infected with this worm are in circulation • Companies without protection installed who survived the first wave of infected messages are now the main victims • This worm is expected to cost over 250 million dollars • At the moment, variant B -detected yesterday- is not generating a large number of incidents • At the same time as Mydoom.B appeared, the S variant of Mimail was detected, which passes itself off as an e-mail from Microsoft in order to steal confidential user information According to data collected by Panda Software’s online antivirus, Panda ActiveScan, Mydoom.A has infected six times more computers than Bugbear.B, the second most frequently virus detected. Corporate environments around the globe have been hit the hardest by Mydoom.A, and for this reason, the number of infected computers has reached 400,000. Furthermore, CNN estimates that the losses generated by this worm (due to loss of productivity, and tech support expenses), could reach 250 million dollars. The Mydoom.A worm is designed to attack and saturate networks of any size. It also creates a backdoor in the infected computers which could allow hackers to steal or compromise key corporate data. Yesterday Mydoom.B was detected, which is potentially more dangerous than its predecessor: This variant is designed to prevent many antivirus programs from updating correctly. “At the moment”, explains Luis Corrons, “Mydoom.B is not spreading very rapidly, perhaps as a result of the epidemic caused by its predecessor.” At the same time as the worldwide epidemic caused by Mydoom.A continues, PandaLabs has detected variant S of Mimail (W32/Mimail.S.worm), which is very similar to its predecessors. “The appearance of these two viruses at the same time”, highlights Luis Corrons “means that you can never drop your guard, and that you must be extremely careful with all the e-mail you receive.” Mimail.S sends itself out to all the addresses it finds on the affected computer -using its own SMTP engine-, in an e-mail with the following characteristics: - Subject: a random combination of the following phrases: Re: ,Re[2]: ,Re[3]:/ smart,cool,sexy,super/ pics,images,pictures,photos,photo,picture/ private, only for you, just for you, imortant, very important - Message: constructed in the same way as the subject with texts like: Hi,Hello,Good evening/ my dear, my dearest, my darling/ Adeline, Alice, Ann, Annice, Barbara, etc. - Attachment: Encoded in BASE64, and it consists of four parts: my,priv,private,prv,the,best,super,great,cool,wild,sex,fuck _,-,__ pic,img,phot,photos,pctrs,images,imgs,scene,plp,act,action .pif,.scr,.exe,.jpg.scr,.jpg.pif,.jpg.exe,.gif.exe,.gif.pif,.gif Mimail.S tries to steal the credit card details of the user of the infected computer. In order to do this, it displays a fake form that warns users that their Windows license has expired, and prompts them to renew it. This form requests personal data including a credit card number, its expiration date and PIN. After the user has entered the requested data, Mimail.S checks if the credit card number is correct and if it isn’t, it displays an error message: Mimail.S saves the information it obtains in a file called c:\xx and sends it out to several e-mail addresses stored in its code and whose domains are [email protected] and [email protected]. Finally, Mimail.S creates an entry in the Windows Registry in order to ensure it is run whenever the computer is started up. Due to the possibility of being infected by Mimail.S, Mydoom.A and Mydoom.B, Panda Software advises users to treat all e-mails received with caution, and to update their antivirus solutions if they haven’t already done so. The company has already made the updates to its products available to clients to ensure their solutions can detect and eliminate Mimail.S. Therefore, those whose software is not configured to update automatically, should update their solutions from http://www.pandasoftware.com/. Users can also detect this and other malicious code using the free, online antivirus, Panda ActiveScan, which is available on the company’s website at http://www.pandasoftware.com/. More information about Mimail.S, Mydoom.A.worm and Mydoom.B.worm is available from Panda Software’s Virus Encyclopedia. About PandaLabs On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users. . For more information: Alan Wallace [email protected] Tel. (818) 543-6909