Press Release

LinkedIn Facebook Twitter RSS

Symantec Security Response Upgrades W32.NOVARG.A@MM to Level 4 Threat

New Mass-Mailing Worm Attempts to Launch a Denial-of-Service Attack Beginning February 1

CUPERTINO, Calif. - Jan. 26, 2004 - Symantec, the world leader in Internet security, today announced that it has upgraded the W32.Novarg.A@mm (also know as W32.Mydoom@mm) from a Level 3 to a Level 4 threat based on how fast the threat is spreading, the potential damage and the threat distribution. Additionally, the Symantec DeepSight Threat Analyst Team has increased the global ThreatCon from Level 1 to 2 due to the number of sample submissions Symantec has received and because of the malicious nature of the backdoor that the Trojan installed. Symantec’s ThreatCon rating provides a digital weather forecast of Internet Security.

Symantec Security Response is receiving submissions of W32.Novarg.A@mm at approximately the same rate it initially received submissions of Sobig.F@mm (discovered August 13, 2003). Today, Symantec Security Response received more than 960 submissions of W32.Novarg.A@mm in a nine-hour timeframe.

Symantec customers can protect against W32. W32.Novarg.A@mm by updating their virus definitions through LiveUpdate. Additionally, the Worm Blocking technology found in the latest Symantec consumer products automatically detects this threat as it attempts to spread. Symantec Security Response encourages all users and administrators to adhere to basic security best practices.

About W32.Novarg.A@mm
W32.Novarg.A@mm is an encrypted mass-mailing worm that arrives as an attachment with a variety of different subject lines such as "hello," "Mail Transaction Failed," or "Test." The attachment has one of the following extensions: .cmd, .exe, .scr., .zip, .pif, .bat, or .cmd. Once opened, the worm copies itself to the system folder as taskmon.exe and listens to all TCP ports in the range 3127 to 3198, allowing hackers to potentially send additional files to be executed by the infected systems.

The worm propagates by sending itself to addresses found in files with the extensions: .htm, .sht., .php, .asp, .dbx, .tbb, .adb., .pl, .wab, and .txt. It ignores addresses that end in .edu.

The worm will also attempt to perform a denial-of-service attack between Feb. 1 and Feb. 12, 2004 against The worm creates 64 threads that send HTTP "GET" requests to the SCO site. SCO is a provider of software solutions for small- to medium-sized businesses and replicated branch offices.

Additional information on W32.Novarg@mm can be found on Symantec's Web site at

About Symantec
Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at

NOTE TO EDITORS: : If you would like additional information on Symantec Corporation and its products, please view the Symantec Press Center at on Symantec's Web site. All prices noted are in US dollars and are valid only in the United States.

Symantec, the Symantec logo, VERITAS, and the VERITAS logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and certain other countries. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.