January 26, 2004 Information Security Advisory

Another worm, discovered earlier today, is invading email boxes around the world.
This worm only affects Windows PCs.

W32.Novarg.A@mm (Symantec's Norton Antivirus name) is a mass-mailing worm. 
The worm will arrive as an attachment with a file extension of .bat, .cmd, .exe, .pif, 
.scr, or .zip. The worm also contains functionality to perform as a proxy server. 
It listens on all TCP ports in the range 3127-3198.

Network Associates, another leading antivirus vendor, calls this worm
the W32/Mydoom@mm, also known as the Mydoom worm. 

Trend Micro calls it worm_mimail.r

The worm will perform a DoS starting on February 1, 2004. 
On February 12, 2004 the worm has a trigger date to stop spreading.

Antivirus vendors are working towards creating removal tools. Currently
only manual removal is available. You shoud update your PC's virus signatures
by going to your antivirus vendor's site or your using your software's automated 
updating feature, scan your computer and remove all the infected files.

This worm has been spreading much faster than last week's Beagle worm.
Symantec considered Beagle a category 3, this one is a category 4 worm.

Network Associates'response page is located at:
http://vil.nai.com/vil/content/v_100983.htm

Symantec's response page is located at
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

Sophos' response page is located at:
http://www.sophos.com/virusinfo/analyses/w32mydooma.html

Trend Micro's repsonse page is located at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R

Happy safe computing!

Frederic Martin
www.workingarts.com

PS: If you want to be removed from this computer security advisory mailing list, please 
reply with "remove" in the subject of the message. To review archived security warnings, 
please go to http://www.workingarts.com/infosecarchives.html