MyDoom clogs up net

San Jose - An e-mail worm that looks like a normal error message, but actually contains a malicious program continued to snarl up computers around the world on Tuesday.

MessageLabs Incorporated, which scans e-mail for viruses, said one in every 12 messages contained the worm, called "MyDoom" or "Novarg."

Security experts described it as the largest, virus-like outbreak in months, one made more problematic by its timing.

The worm began spreading rapidly on Monday during business hours in the United States, where the world's computers are concentrated.

Many recent outbreaks began during Asian business hours - overnight in the United States - allowing anti-virus vendors to develop new defences by the time US companies opened up shop.

"Whenever a virus begins to start in the States, it usually becomes much bigger," said Vincent Gullotto, an anti-virus researcher at Network Associates Inc.

Some corporate networks were clogged with infected traffic within hours of its appearance, and operators of many systems voluntarily shut down their e-mail to keep the worm from spreading during the clean-up.

Sent as a binary attachment

Mikko Hypponen, manager of anti-virus research at F-Secure Corporation in Finland, estimated that 200 000 to 300 000 computers were hit worldwide.

The worm infects computers using Microsoft Windows operating systems, although other computers were affected by network slowdowns and a flood of bogus messages.

Unlike other mass-mailing worms, MyDoom does not attempt to trick victims by promising nude pictures of celebrities or mimicking personal notes.

Instead, one of its messages reads: "The message contains Unicode characters and has been sent as a binary attachment."

"Because that sounds like a technical thing, people may be more apt to think it's legitimate and click on it," said Steve Trilling, senior director of research at computer security company Symantec.

Besides sending out tainted e-mail, the program appears to open up a backdoor so hackers can take over the computer later.

Symantec said the worm appeared to contain a program that logged keystrokes on infected machines.

It could collect usernames and passwords of unsuspecting users and distribute them to strangers.

The worm was also programmed to flood the Web site of The SCO Group Incorporated, beginning on February 1 with requests in an attempt to crash it.

SCO's site has been targeted in other recent attacks because of its threats to sue users of the Linux operating system in an intellectual property dispute.

Christopher Budd, a security program manager with Microsoft, said: "This is entirely a case of what we would call social engineering - enticing users to take actions that are not in their best interest," he said.

On the Net: Microsoft security tips: www.microsoft.com/security/protect/default.asp

- SAPA