Telecom says if the latest virus attack gets bad enough it can switch off the bounce message generator that is currently sending out warnings that emails aren't reaching their intended recipients.
The Mydoom virus, also known as Novarg and Mimail.R, is a mass mailing worm that has been creating havoc among Windows' users around the world. As Computerworld Online reported yesterday, part of its payload, Mydoom tries to replicate itself by generating its own email addresses and sending copies of itself to them. As anti-virus systems block the email it sends a failed message email to the sender - however as Mydoom spoofs the sender's address a number of users are receiving failure messages about emails they didn't send.
Telecom spokesperson Katrina King says Telecom is reviewing the situation continuously to see if this move is warranted.
"It would mean switching it off for all email so any legitimate email that was sent to the wrong address, say a typo or whatever, wouldn't generate the failure message."
King also says the anticipated overloading of ISPs' outgoing email servers hasn't happened, perhaps because the virus contains its own SMTP engine, thus bypassing the ISPs' queueing systems.
TelstraClear spokesman Ralph Little says the telco is experiencing increasing traffic across both its ISPs, ClearNet and Paradise.Net.
"From 4pm to 5pm we blocked 32,000 copies of the virus. That's around nine a second." Little says that number was still growing late last night.
The worm arrives as an email with an attachment that can have various names and extensions, including .exe, .scr, .zip or .pif. The email can have a variety of subject lines and body texts, but in many cases it will appear to be an error report stating that the message body can't be displayed and has instead been attached in a file.
Mydoom's payload turns the infected PC into a zombie to be used as part of a distributed denial of service (DDOS) attack against the SCO Group's homepage. SCO has attracted the ire of the open source community following its claims to own some of the code within the Linux operating system and demanding Linux users pay a licensing fee to use it.
Late yesterday SCO said it had noticed its website performance had intermittently slowed, but it is too early to say if there is an attack on the site, says SCO spokesman Blake Stowell.
"It may be showing the early stages of a DOS attack."
Both Network Associates and Symantec agree that when the attached file is executed, the worm scans the system for email addresses and starts forwarding itself to those addresses. If the victim has a copy of the KaZaA file-sharing application installed, it will also drop several files in the shared files folder in an attempt to spread that way.
Symantec also claims the worm will install a "key logger" that can capture anything that is entered, including passwords and credit card numbers.
Yesterday Telecom claimed it was blocking around 1000 infected emails every minute.
Additional reporting by Joris Evers of the IDG News Service, San Francisco.