Mydoom Virus Variant Spreads Among U.S. Windows-Based PCs
Tuesday February 24, 4:26 pm ET
By Riva Richmond
NEW YORK -- Another version of the Mydoom e-mail virus that hobbled personal computers running under Microsoft Corp. (NasdaqNM:MSFT - News)'s Windows operating system earlier this month began spreading aggressively in the U.S. on Monday and continued to move through PCs Tuesday.
ADVERTISEMENT
The infectious, malicious program, dubbed Mydoom.f by antivirus software makers, first appeared on Friday morning but didn't make much headway until the U.S. work week began.
"Suddenly it really started to increase Monday morning U.S. time, and that carried into the day and night," said Kevin Hogan, senior manager of Symantec Corp. (NasdaqNM:SYMC - News)'s security-response group for the Europe, Middle East and Africa region. "Technically speaking, there's nothing in the actual worm itself that would cause it to trickle and suddenly boom."
Mr. Hogan said the Monday ramp-up could have been the result of employees in the U.S. returning to work and opening infected e-mail that was lying in wait. The virus never caught on in Europe, though it continued to spread Tuesday in the U.S., albeit at a somewhat reduced rate. Symantec, maker of Norton antivirus software, rates it a three, or moderate risk, on a scale of five.
"Probably it just didn't get lucky till someone hit upon it Monday morning. Somebody with a big mailing list has to hit it, and then it becomes really widespread," agreed Jimmy Kuo, a virus researcher at rival Network Associates Inc. (NYSE:NET - News) .
Late Monday, Network Associates, the maker of McAfee antivirus software, raised its risk rating on Mydoom.f to medium from low, citing increased prevalence.
"Our numbers yesterday (Monday) showed it to be one-fourth to one-fifth of what the Mydoom.a numbers were," Mr. Kuo said. "It almost seems dull compared to what we've been through in the last few weeks."
Mydoom.f uses the basic code seen in the Mydoom.a and Mydoom.b viruses, which struck early this month, but throws in a few new twists.
For one, its long list of possible subject lines, message texts and attachment file names borrowed more from the recent "Netsky.b" virus than from Mydoom.
"The Mydoom.f author either studied and copied Netsky or is the same author," Mr. Kuo said. Network Associates believes the Mydoom.f author is different from the person who wrote Mydoom.a. In the original virus, the author called himself "Andy" and included the note "nothing personal." The latest variant includes the message: "I am irony, made by JKQ7"
While the original Mydoom used a limited array of texts designed to feign technical errors, Mydoom.f uses a long list of simple Netsky-like subject lines, including "hi", and message texts, such as "here is the document."
"They're just cryptic enough to get people to click because they want to know more," Mr. Hogan said. The virus is only activated if the person who receives the e-mail opens its attached file, at which point the virus lodges itself in the computer and mails itself to addresses it finds there.
Like its Mydoom forebearers, the new version won't send itself to a number of domains, including those belonging to the U.S. government and antivirus-software companies, presumably in an effort to stay off their radar screens for a longer time.
Mydoom.f tries to direct victim PCs to simultaneously visit the homepages of either Microsoft or file-swapper nemesis Recording Industry Association of America (News - Websites) from the 17th to the 22nd of each month, in an effort to shut the sites down. Mydoom.a attacked and shut down Unix software maker SCO Group Inc. (NasdaqSC:SCOX - News)'s homepage, while Mydoom.b tried and failed to attack both SCO and Microsoft.
Also echoing earlier Mydoom variants and other recent viruses, Mydoom.f sets up a backdoor in infected PCs, in this case by opening TCP port 1080. The backdoor could allow an attacker to access the computer in order to relay spam e-mail anonymously and to download and run his choice of hacker programs.
In a somewhat unusual and nasty tactic, the virus deletes files it finds in local drives with the extensions .mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp. (my bolding) The deletions won't hurt the machine's ability to function, but the files aren't easily restored. "Either the owner has backups or he doesn't," Mr. Kuo said. |
