The worm has launched a world-wide denial-of-service attack from every infected computer against the website of SCO, one of the largest Unix vendors in the world. However, the WWW.SCO.COM site seems to be still operational.
There's been a lot of discussion about SCO after they claimed last December that the Linux operating system was violating SCO's intellectual property rights in UNIX technology. "There are a lot of kids out there who feel like SCO's attacking them", comments Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "Apparently someone of them decided that it's ok attack back."
In addition of the denial-of-service attack, the worm also opens up a backdoor to infected computers by listening to TCP port 3176. This way the worm author can gain access to infected computers afterwards.
The emails sent by the worm are fairly random:
From: random email address
To: address of the recipient
Subject: random words
Message body: (several different mail error messages, such as:)
Mail transaction failed. Partial message is available.
Attachment (with a textfile icon): random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension.
When a user clicks on the attachment, the worm will start Notepad, filled with random characters and it will immediately start to spread further.
Detailed technical description of the worm as well as screenshots are available in the F-Secure Virus Description Database.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.