MyDoom-B, which hit the wild Wednesday, has a bigger payload than the original worm but itisn't spreading widely. Steve Sundermeier, vice president of products and services atCentral Command Inc., an anti-virus company based in Medina, Ohio., reports that they areseeing no significant traffic related to the variant. MyDoom-A, however, is still rampagingacross the Internet, accounting for one out of every nine emails four days after it firstattacked.
The variant actually is built to take advantage of the computers that have already beencompromised by the original MyDoom. Ken Dunham, director of malicious code at iDefense,Inc., a security and anti-virus company, says the variant scans for infected computers andupdates itself. From that updated machine, it will then search out more infected computersand continue the process.
''It is very clever,'' says Dunham. ''One worm spreads in the wild and then the authorlaunches a second worm that updates itself automatically... It also allows the author tohave a very carefully planned attack to outwit or outrun the anti-virus measures that mayhave been put in place. But planning this ahead of time, he gains a lot of control.''https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i Both Dunham and Sundermeier say that while MyDoom-A sets up a distributed denial-of-serviceattack against The SCO Group, Inc., a company embroiled in legalities over Linux and opensource issues, the variant extends that DDOS attack to Microsoft Corp. Both attacks arescheduled to begin Feb. 1 with a kill date of Feb. 12.
The variant also tries to keep users from getting information on the worm or updating theiranti-virus applications by blocking access to anti-virus Web sites and the Microsoft.comsite.
What has caught the attention of the security industry is the fact that the variant waslaunched so soon after the original version was released. Many anti-virus experts wereexpecting MyDoom to more closely mirror Sobig and its string of variants, with the firstvariant hitting soon before or right after the Feb. 12 kill date.
''I am a little surprised,'' says Sundermeier. ''I thought it would be closer to the 12th ofFebruary.''
But Dunham theorizes that the variant was built right along with the original worm and theauthor planned to release one on top of the other.
''There's suspicion that MyDoom-B was authored before the original one was sent out,'' hesays. ''If he was to wait too long (to release the variant), he might lose control over thecomputers. By planning this ahead of time, he gains control over them.''
MyDoom-A was designed allowing anyone to take advantage of the compromised computers. Thevariant changes that, enabling only the author to use those infected machines to launch aDDOS attack, send spam or upload other executables.
''I think it certainly is designed to be a very noisy worm, but it goes much deeper thanthat,'' says Dunham. ''This is about control and power. This person now controls a largearmy of computers and we know it can be used to install a trojan or another worm or he canuse it as a proxy server. This can be used to send out spam or steal identity information orinfiltrate a network. He now has a large army to attack SCO and Microsoft. That'ssignificant firepower.''
Sundermeier estimates that the worm has compromised 450,000 to 500,000 computers around theworld.
MyDoom spreads via email and by copying itself to any available shared directories used byKazaa. It harvests addresses from infected machines, and generally uses the words 'test','hi' and 'hello' in the subject line.
Analysts say MyDoom is spreading so quickly because it is successfully fooling users intoopening firs the email and then the attachment. The email often disguises itself as an emailthat the user sent that has bounced back. The user, wanting to know why the email failed,opens it up and then sees a text file icon, instead of the icon for an executable.
MyDoom also sets up a backdoor trojan in infected computers, allowing the virus writer oranyone else capable of sending commands to an infected machine to upload code or send spam.