The variant of the fast-spreading MyDoom worm is setting up an attack against Microsoft and,
in a sneaky twist, interferes with the compromised machines’ ability to update its
anti-virus protection.
MyDoom-B, which hit the wild Wednesday, has a bigger payload than the original worm but it
isn’t spreading widely. Steve Sundermeier, vice president of products and services at
Central Command Inc., an anti-virus company based in Medina, Ohio., reports that they are
seeing no significant traffic related to the variant. MyDoom-A, however, is still rampaging
across the Internet, accounting for one out of every nine emails four days after it first
attacked.
The variant actually is built to take advantage of the computers that have already been
compromised by the original MyDoom. Ken Dunham, director of malicious code at iDefense,
Inc., a security and anti-virus company, says the variant scans for infected computers and
updates itself. From that updated machine, it will then search out more infected computers
and continue the process.
”It is very clever,” says Dunham. ”One worm spreads in the wild and then the author
launches a second worm that updates itself automatically… It also allows the author to
have a very carefully planned attack to outwit or outrun the anti-virus measures that may
have been put in place. But planning this ahead of time, he gains a lot of control.”
Both Dunham and Sundermeier say that while MyDoom-A sets up a distributed denial-of-service
attack against The SCO Group, Inc., a company embroiled in legalities over Linux and open
source issues, the variant extends that DDOS attack to Microsoft Corp. Both attacks are
scheduled to begin Feb. 1 with a kill date of Feb. 12.
The variant also tries to keep users from getting information on the worm or updating their
anti-virus applications by blocking access to anti-virus Web sites and the Microsoft.com
site.
What has caught the attention of the security industry is the fact that the variant was
launched so soon after the original version was released. Many anti-virus experts were
expecting MyDoom to more closely mirror Sobig and its string of variants, with the first
variant hitting soon before or right after the Feb. 12 kill date.
”I am a little surprised,” says Sundermeier. ”I thought it would be closer to the 12th of
February.”
But Dunham theorizes that the variant was built right along with the original worm and the
author planned to release one on top of the other.
”There’s suspicion that MyDoom-B was authored before the original one was sent out,” he
says. ”If he was to wait too long (to release the variant), he might lose control over the
computers. By planning this ahead of time, he gains control over them.”
MyDoom-A was designed allowing anyone to take advantage of the compromised computers. The
variant changes that, enabling only the author to use those infected machines to launch a
DDOS attack, send spam or upload other executables.
”I think it certainly is designed to be a very noisy worm, but it goes much deeper than
that,” says Dunham. ”This is about control and power. This person now controls a large
army of computers and we know it can be used to install a trojan or another worm or he can
use it as a proxy server. This can be used to send out spam or steal identity information or
infiltrate a network. He now has a large army to attack SCO and Microsoft. That’s
significant firepower.”
Sundermeier estimates that the worm has compromised 450,000 to 500,000 computers around the
world.
MyDoom spreads via email and by copying itself to any available shared directories used by
Kazaa. It harvests addresses from infected machines, and generally uses the words ‘test’,
‘hi’ and ‘hello’ in the subject line.
Analysts say MyDoom is spreading so quickly because it is successfully fooling users into
opening firs the email and then the attachment. The email often disguises itself as an email
that the user sent that has bounced back. The user, wanting to know why the email failed,
opens it up and then sees a text file icon, instead of the icon for an executable.
MyDoom also sets up a backdoor trojan in infected computers, allowing the virus writer or
anyone else capable of sending commands to an infected machine to upload code or send spam.