W32.Novarg.A@Mm Upgraded To Level 4 Threat

News Release

SYMANTEC SECURITY RESPONSE UPGRADES W32.NOVARG.A@MM
TO LEVEL 4 THREAT

New Mass-Mailing Worm Attempts to Launch a Denial-of-Service Attack Beginning February 1

Symantec, the world leader in Internet security, announced that it has upgraded the W32.Novarg.A@mm (also know as W32.Mydoom@mm) from a Level 3 to a Level 4 threat based on how fast the threat is spreading, the potential damage and the threat distribution. Additionally, the Symantec DeepSight Threat Analyst Team has increased the global ThreatCon from Level 1 to 2 due to the number of sample submissions Symantec has received and because of the malicious nature of the backdoor that the Trojan installed. Symantec’s ThreatCon rating provides a digital weather forecast of Internet Security.

Symantec Security Response is receiving submissions of W32.Novarg.A@mm at approximately the same rate it initially received submissions of Sobig.F@mm (discovered August 13, 2003). Yesterday, Symantec Security Response received more than 960 submissions of W32.Novarg.A@mm in a nine-hour timeframe.

Symantec customers can protect against W32. W32.Novarg.A@mm by updating their virus definitions through LiveUpdate. Additionally, the Worm Blocking technology found in the latest Symantec consumer products automatically detects this threat as it attempts to spread. Symantec Security Response encourages all users and administrators to adhere to basic security best practices.

About W32.Novarg.A@mm

W32.Novarg.A@mm is an encrypted mass-mailing worm that arrives as an attachment with a variety of different subject lines such as “hello,” “Mail Transaction Failed,” or “Test.” The attachment has one of the following extensions: .cmd, .exe, .scr., .zip, .pif, .bat, or .cmd. Once opened, the worm copies itself to the system folder as taskmon.exe and listens to all TCP ports in the range 3127 to 3198, allowing hackers to potentially send additional files to be executed by the infected systems.

The worm propagates by sending itself to addresses found in files with the extensions: .htm, .sht., .php, .asp, .dbx, .tbb, .adb., .pl, .wab, and .txt. It ignores addresses that end in .edu.

The worm will also attempt to perform a denial-of-service attack between Feb. 1 and Feb. 12, 2004 against www.sco.com. The worm creates 64 threads that send HTTP “GET” requests to the SCO site. SCO is a provider of software solutions for small- to medium-sized businesses and replicated branch offices.

Additional information on W32.Novarg@mm can be found on Symantec’s Web site at http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html.

About Symantec

Symantec, the world leader in Internet security technology, provides a broad range of content and network security software and appliance solutions to individuals, enterprises and service providers. The company is a leading provider of client, gateway and server security solutions for virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and email filtering, and remote management technologies and security services to enterprises and service providers around the world. Symantec’s Norton brand of consumer security products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 38 countries.

###

NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please view the Symantec Press Center at http://www.symantec.com/PressCenter/ on Symantec’s Web site.
Symantec and the Symantec logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.

© Scoop Media