New York, NY - 30th January 2004 (11:00 am ET) - MessageLabs, the leading provider of managed email security services to businesses worldwide, announced today that the record breaking virus W32/Mydoom.A-mm, while off its peak, is continuing to spread at a steady rate, with 8,463,332 copies having been stopped so far by MessageLabs.

Of that total, 22% have originated in the US. The reach of the worm now extends to 211 countries. The peak infection ratio remains 1 in 12 emails infected with the virus, and the average ratio is currently fluctuating between 1 in every 15 and 1 in every 23 emails.

A new variant of the virus, Mydoom.B, which first hit on Wednesday, is also in the wild, but not gaining much traction. MessageLabs has identified it as a low-level threat.

On Tuesday, W32/Mydoom.A-mm broke records to become the fastest spreading virus of all time. The title had previously been held by Sobig.F, another mass mailing virus that hit in August 2003. The comparison was made by tracking the number of virus-containing emails stopped within the first 24 hours and by tracking peak infection ratios. Just over 1 million messages containing Sobig.F were stopped within the first 24 hours, in comparison to more than 1.2 million for Mydoom.A. Sobig.F’s peak infection ratio was 1 in 17 compared to Mydoom.A’s, which was 1 in 12. The Lovebug virus of 1999 is the third fastest spreading, with 1 in every 23 emails.

“Let there be no doubt that the trojan component of Mydoom.A is creating an entirely new network of compromised machines that hackers and likely spammers will be able to remotely control,” said Mark Sunner, chief technology officer of MessageLabs. “As part of our commitment to customers, we have protected more than 2 million enterprise end users from Mydoom, saving thousands of IT departments from having to deal with help desk calls, patching and clean up - in short, eliminating a big, ongoing and costly headache.”

Name: W32/Mydoom.A-mm

Time & Date first Captured: 13.03pm GMT, 26th Jan 04

Origin of first intercepted copy: Russia

General

Mydoom is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa.

The worm harvests addresses from infected machines and targets files with the following extensions: .wab, .adb, .tbb, .dbx, .asp, .php, .sht, .htm, .txt.

Mydoom also tries to randomly generate or guess likely email addresses to send itself to.

In addition, initial analysis suggests that Mydoom opens a connection on TCP port 3127, an indication of a remote access component.

Email characteristics

From: Random, spoofed email address

Text: Various, including:

• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment
  
• Mail transaction failed. Partial message is available
  
  

Attached file: Various, with extensions including .exe, .pif, .cmd, .scr. The attachment often arrives in a zip archive, and is also represented by what appears to be a text file icon, but is in fact an executable.

Size: 22,528 bytes

Detection: MessageLabs detected all strains of this virus proactively, using its unique and patented Skeptic™ predictive heuristics technology.

About MessageLabs

MessageLabs is a leading provider of integrated messaging and web security services, with over 21,000 clients ranging from small business to the Fortune 500 located in more than 100 countries. MessageLabs provides a range of managed security services to protect, control, encrypt and archive communications across Email, Web and Instant Messaging.

These services are delivered by MessageLabs globally distributed infrastructure and supported 24/7 by security experts. This provides a convenient and cost-effective solution for managing and reducing risk and providing certainty in the exchange of business information. For more information, please visit www.messagelabs.com.

Media Contacts:

US:
Marissa Vicario, MessageLabs, +1 646 519 8116, mvicario@messagelabs.com,
Hill & Knowlton for MessageLabs, +1 212-885-0552, messagelabs@hillandknowlton.com

EMEA:
Paul Wood, MessageLabs, +44 (0) 1452 627705, pwood@messagelabs.com
Weber Shandwick for MessageLabs, +44 (0) 20 7067 0500, mlukpr@webershandwick.com

APAC:
Andrew Antal, MessageLabs, +61 2 8208 7171, aantal@messagelabs.com
Spectrum Communications for MessageLabs, +61 2 9954 3299, messagelabs@spectrumcomms.com.au