Sunday, October 17, 2021

MyDoom-B Continues Rampage, Takes on Microsoft

The variant of the fast-spreading MyDoom worm is setting up an attack against Microsoft and,

in a sneaky twist, interferes with the compromised machines’ ability to update its

anti-virus protection.

MyDoom-B, which hit the wild Wednesday, has a bigger payload than the original worm but it

isn’t spreading widely. Steve Sundermeier, vice president of products and services at

Central Command Inc., an anti-virus company based in Medina, Ohio., reports that they are

seeing no significant traffic related to the variant. MyDoom-A, however, is still rampaging

across the Internet, accounting for one out of every nine emails four days after it first

attacked.

The variant actually is built to take advantage of the computers that have already been

compromised by the original MyDoom. Ken Dunham, director of malicious code at iDefense,

Inc., a security and anti-virus company, says the variant scans for infected computers and

updates itself. From that updated machine, it will then search out more infected computers

and continue the process.

”It is very clever,” says Dunham. ”One worm spreads in the wild and then the author

launches a second worm that updates itself automatically… It also allows the author to

have a very carefully planned attack to outwit or outrun the anti-virus measures that may

have been put in place. But planning this ahead of time, he gains a lot of control.”

Both Dunham and Sundermeier say that while MyDoom-A sets up a distributed denial-of-service

attack against The SCO Group, Inc., a company embroiled in legalities over Linux and open

source issues, the variant extends that DDOS attack to Microsoft Corp. Both attacks are

scheduled to begin Feb. 1 with a kill date of Feb. 12.

The variant also tries to keep users from getting information on the worm or updating their

anti-virus applications by blocking access to anti-virus Web sites and the Microsoft.com

site.

What has caught the attention of the security industry is the fact that the variant was

launched so soon after the original version was released. Many anti-virus experts were

expecting MyDoom to more closely mirror Sobig and its string of variants, with the first

variant hitting soon before or right after the Feb. 12 kill date.

”I am a little surprised,” says Sundermeier. ”I thought it would be closer to the 12th of

February.”

But Dunham theorizes that the variant was built right along with the original worm and the

author planned to release one on top of the other.

”There’s suspicion that MyDoom-B was authored before the original one was sent out,” he

says. ”If he was to wait too long (to release the variant), he might lose control over the

computers. By planning this ahead of time, he gains control over them.”

MyDoom-A was designed allowing anyone to take advantage of the compromised computers. The

variant changes that, enabling only the author to use those infected machines to launch a

DDOS attack, send spam or upload other executables.

”I think it certainly is designed to be a very noisy worm, but it goes much deeper than

that,” says Dunham. ”This is about control and power. This person now controls a large

army of computers and we know it can be used to install a trojan or another worm or he can

use it as a proxy server. This can be used to send out spam or steal identity information or

infiltrate a network. He now has a large army to attack SCO and Microsoft. That’s

significant firepower.”

Sundermeier estimates that the worm has compromised 450,000 to 500,000 computers around the

world.

MyDoom spreads via email and by copying itself to any available shared directories used by

Kazaa. It harvests addresses from infected machines, and generally uses the words ‘test’,

‘hi’ and ‘hello’ in the subject line.

Analysts say MyDoom is spreading so quickly because it is successfully fooling users into

opening firs the email and then the attachment. The email often disguises itself as an email

that the user sent that has bounced back. The user, wanting to know why the email failed,

opens it up and then sees a text file icon, instead of the icon for an executable.

MyDoom also sets up a backdoor trojan in infected computers, allowing the virus writer or

anyone else capable of sending commands to an infected machine to upload code or send spam.

Similar articles

Latest Articles