Tuesday, January 21, 2025

Is Second Wave of MyDoom Attack Rolling In?

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A new variant of the MyDoom worm is kicking up a small online storm,

battering search engines and opening backdoors across the globe.

The variant, named by different anti-virus vendors as either MyDoom-M,

MyDoom-N or MyDoom-O, hit the Wild on Monday and spread rapidly.

Sporting a new twist in the way it propagates, the worm contains links

to several different search engines and tries to use them to harvest

email addresses.

Security analysts say some search engine sites, such as Google,

reportedly experienced some slow downs and possibly even intermittent

interruptions.

”This is the first time I’ve ever seen a worm perform a Google search

to harvest email addresses for an email routine,” says Ken Dunham,

director of malicious code for iDefense, Inc., a security intelligence

company based in Reston, Va. ”It’s interesting that this worm was

released while Google has a pending IPO. However, it appears that the

backdoor component of the worm is the real motive behind this widespread

worm.”

The new variant, which appears to have peaked yesterday, still is

circulating in high numbers today, according to analysts from

MessageLabs, Inc., a managed email security company based in New York.

Analysts there report intercepting 599,641 copies of the virus so far.

But those numbers pale in comparison to the original MyDoom, which took

the Internet by storm this past January.

Mark Sunner, chief technical officer of MessageLabs, says they

intercepted more than 5 million copies of MyDoom-A in its first 24 hours

in the Wild.

”This is causing a fair bit of commotion, but this variant hasn’t got

anywhere near the numbers of the original,” says Sunner. ”But because

of what it’s done to the search engines, its ability to affect the

community as a whole is quite significant. Other than that, we’d call

this a medium level of aggression.”

Symantec Corp., an information security company based in Cupertino,

Calif., has labeled MyDoom-M as a Level 4 threat, with Level 5 being the

most dangerous.

The new MyDoom variant is a mass-mailing worm with an SMTP engine that

sends copies of itself out to addresses harvested from infected machines

or off of search engines. The worm also carries a Trojan that is

installed on TCP Port 1034.

” The Trojan is what has got us worried,” says Dunham. ”This backdoor

has been completely changed from the one that was in earlier versions of

MyDoom… This is a very complicated backdoor. The code is very

difficult to wade through.”

MessageLabs’ Sunner says the backdoor carries some disturbing commercial

capabilities.

”This variant isn’t dangerous from a traditional standpoint. It’s not

deleting files or amending spreadsheets,” says Sunner. ”But all the

viruses these days have a commercial motivation to them. That Trojan can

be used as an effective spam sending mechanism…. I don’t think this

virus’ main intention was to create denial-of-service attacks on the

search engines. This is about spam.”

Is a Second Wave Coming?

Dunham says the new MyDoom variant is just the first line of attack in a

bigger battle.

Today, Dunham’s analysts report finding Zindos-A in the Wild. The

malware scans for randomized IP addresses with TCP port 1034 open. This

is the port that the new MyDoom variant opens. Once it finds that open

port, Zindos-A uploads a copy of itself, which is then executed by a

mechanism inside the new MyDoom. After creating a .exe file on the

infected computer and modifying the Windows registry, Zindos-A attacks

the Microsoft.com Web site with a denial-of-service attack.

”It appears that the release of Zindos-A is part of a multi-stage

MyDoom attack against Microsoft.com and possibly to perform other

actions,” says Dunham.

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles