MyDoom-B Continues Rampage, Takes on Microsoft
The variant of the fast-spreading MyDoom worm is setting up an attack against Microsoft and, in a sneaky twist, interferes with the compromised machines' ability to update its anti-virus protection.
MyDoom-B, which hit the wild Wednesday, has a bigger payload than the original worm but it isn't spreading widely. Steve Sundermeier, vice president of products and services at Central Command Inc., an anti-virus company based in Medina, Ohio., reports that they are seeing no significant traffic related to the variant. MyDoom-A, however, is still rampaging across the Internet, accounting for one out of every nine emails four days after it first attacked.
The variant actually is built to take advantage of the computers that have already been compromised by the original MyDoom. Ken Dunham, director of malicious code at iDefense, Inc., a security and anti-virus company, says the variant scans for infected computers and updates itself. From that updated machine, it will then search out more infected computers and continue the process.
''It is very clever,'' says Dunham. ''One worm spreads in the wild and then the author launches a second worm that updates itself automatically... It also allows the author to have a very carefully planned attack to outwit or outrun the anti-virus measures that may have been put in place. But planning this ahead of time, he gains a lot of control.''
The variant also tries to keep users from getting information on the worm or updating their anti-virus applications by blocking access to anti-virus Web sites and the Microsoft.com site.
What has caught the attention of the security industry is the fact that the variant was launched so soon after the original version was released. Many anti-virus experts were expecting MyDoom to more closely mirror Sobig and its string of variants, with the first variant hitting soon before or right after the Feb. 12 kill date.
''I am a little surprised,'' says Sundermeier. ''I thought it would be closer to the 12th of February.''
But Dunham theorizes that the variant was built right along with the original worm and the author planned to release one on top of the other.
''There's suspicion that MyDoom-B was authored before the original one was sent out,'' he says. ''If he was to wait too long (to release the variant), he might lose control over the computers. By planning this ahead of time, he gains control over them.''
MyDoom-A was designed allowing anyone to take advantage of the compromised computers. The variant changes that, enabling only the author to use those infected machines to launch a DDOS attack, send spam or upload other executables.
''I think it certainly is designed to be a very noisy worm, but it goes much deeper than that,'' says Dunham. ''This is about control and power. This person now controls a large army of computers and we know it can be used to install a trojan or another worm or he can use it as a proxy server. This can be used to send out spam or steal identity information or infiltrate a network. He now has a large army to attack SCO and Microsoft. That's significant firepower.''
Sundermeier estimates that the worm has compromised 450,000 to 500,000 computers around the world.
MyDoom spreads via email and by copying itself to any available shared directories used by Kazaa. It harvests addresses from infected machines, and generally uses the words 'test', 'hi' and 'hello' in the subject line.
Analysts say MyDoom is spreading so quickly because it is successfully fooling users into opening firs the email and then the attachment. The email often disguises itself as an email that the user sent that has bounced back. The user, wanting to know why the email failed, opens it up and then sees a text file icon, instead of the icon for an executable.
MyDoom also sets up a backdoor trojan in infected computers, allowing the virus writer or anyone else capable of sending commands to an infected machine to upload code or send spam.