'High risk' virus floods internet and attack SCO

A mass-mailing virus quickly spread through the internet on Monday, compromising computers so that they attack the SCO Group's web server with a flood of data on 1 February, according to antivirus companies.

The virus - known as MyDoom, Novarg and as a variant of the Mimail virus by different antivirus companies - arrives in an inbox with one of several different random subject lines, such as 'Mail Delivery System', 'Test' or 'Mail Transaction Failed'. The body of the email contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment."

"It's huge," said Vincent Gullotto, vice president of security software maker Network Associates' antivirus emergency response team. "We have it as a high-risk outbreak."

In one hour, Network Associates itself received 19,500 emails bearing the virus from 3,400 unique internet addresses, Gullotto said. One large telecommunications company has already shut down its email gateway to stop the virus.

Once the virus infects a Windows-running PC, it installs a program that allows the computer to be controlled remotely. The program primes the PC to send data to the SCO Group's Web server, starting 1 February, a virus researcher said on the condition of anonymity.

The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.

The company's website was slow to load on Monday afternoon, a SCO spokesperson acknowledged, but the site was still accessible from the world wide web.

SCO's website was taken offline by denial-of-service attacks a handful of times in the last year, none of which had been initiated by a virus. In the past, the company has blamed Linux sympathisers for at least one of the attacks.

Antivirus companies were scrambling on Monday afternoon to learn more about the virus, which started spreading at about noon PST. The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP.

"A lot of the information is encrypted, so we have to decrypt it," said Sharon Ruckman, a senior director of antivirus software maker Symantec's security response center. Symantec has had about 40 reports of the virus in the first hour, a high rate of submission, Ruckman said.

The virus installs a Windows program that opens up a 'back door' in the system, allowing an attacker to upload additional programs onto the compromised device. The back door also enables an intruder to route his connection through the infected computer to hide the source of an attack.

The virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages itself, using one of seven file names, including Winamp5, RootkitXP, Officecrack and Nuke2004. Variations in the body text include: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

Early data indicated an epidemic several times the size of the Sobig.F virus, which caused widespread infections last summer, said Scott Petry, a vice president of engineering at email service provider Postini.

"At its current run rate, we will trap almost 8 million in a day," Petry said. The company quarantined only 1,400 copies of Sobig.F in its first day and 3.5 million copies of the virus during that epidemic's peak 24-hour period.

Mail systems that remove executable files from emails can stop the program from spreading.

Robert Lemos writes for CNET News.com