MyDoom-B Continues Rampage, Takes on Microsoft

The variant of the fast-spreading MyDoom worm is setting up an attack against Microsoft and,

in a sneaky twist, interferes with the compromised machines’ ability to update its

anti-virus protection.

MyDoom-B, which hit the wild Wednesday, has a bigger payload than the original worm but it

isn’t spreading widely. Steve Sundermeier, vice president of products and services at

Central Command Inc., an anti-virus company based in Medina, Ohio., reports that they are

seeing no significant traffic related to the variant. MyDoom-A, however, is still rampaging

across the Internet, accounting for one out of every nine emails four days after it first

attacked.

The variant actually is built to take advantage of the computers that have already been

compromised by the original MyDoom. Ken Dunham, director of malicious code at iDefense,

Inc., a security and anti-virus company, says the variant scans for infected computers and

updates itself. From that updated machine, it will then search out more infected computers

and continue the process.

”It is very clever,” says Dunham. ”One worm spreads in the wild and then the author

launches a second worm that updates itself automatically… It also allows the author to

have a very carefully planned attack to outwit or outrun the anti-virus measures that may

have been put in place. But planning this ahead of time, he gains a lot of control.”

Both Dunham and Sundermeier say that while MyDoom-A sets up a distributed denial-of-service

attack against The SCO Group, Inc., a company embroiled in legalities over Linux and open

source issues, the variant extends that DDOS attack to Microsoft Corp. Both attacks are

scheduled to begin Feb. 1 with a kill date of Feb. 12.

The variant also tries to keep users from getting information on the worm or updating their

anti-virus applications by blocking access to anti-virus Web sites and the Microsoft.com

site.

What has caught the attention of the security industry is the fact that the variant was

launched so soon after the original version was released. Many anti-virus experts were

expecting MyDoom to more closely mirror Sobig and its string of variants, with the first

variant hitting soon before or right after the Feb. 12 kill date.

”I am a little surprised,” says Sundermeier. ”I thought it would be closer to the 12th of

February.”

But Dunham theorizes that the variant was built right along with the original worm and the

author planned to release one on top of the other.

”There’s suspicion that MyDoom-B was authored before the original one was sent out,” he

says. ”If he was to wait too long (to release the variant), he might lose control over the

computers. By planning this ahead of time, he gains control over them.”

MyDoom-A was designed allowing anyone to take advantage of the compromised computers. The

variant changes that, enabling only the author to use those infected machines to launch a

DDOS attack, send spam or upload other executables.

”I think it certainly is designed to be a very noisy worm, but it goes much deeper than

that,” says Dunham. ”This is about control and power. This person now controls a large

army of computers and we know it can be used to install a trojan or another worm or he can

use it as a proxy server. This can be used to send out spam or steal identity information or

infiltrate a network. He now has a large army to attack SCO and Microsoft. That’s

significant firepower.”

Sundermeier estimates that the worm has compromised 450,000 to 500,000 computers around the

world.

MyDoom spreads via email and by copying itself to any available shared directories used by

Kazaa. It harvests addresses from infected machines, and generally uses the words ‘test’,

‘hi’ and ‘hello’ in the subject line.

Analysts say MyDoom is spreading so quickly because it is successfully fooling users into

opening firs the email and then the attachment. The email often disguises itself as an email

that the user sent that has bounced back. The user, wanting to know why the email failed,

opens it up and then sees a text file icon, instead of the icon for an executable.

MyDoom also sets up a backdoor trojan in infected computers, allowing the virus writer or

anyone else capable of sending commands to an infected machine to upload code or send spam.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020