Anti-virus software vendors warn that a new variant of the aggressive MyDoom Internet worm is on the loose. In addition to harvesting e-mail addresses, the new worm also tries to block infected PCs` access to anti-virus updates and will attack Microsoft and SCO Group Web sites.
Ryan Price, CEO of the Y3K Group, says the new worm, MyDoom.B, could prove to be one of the "worst ever". The worm comes only two days after the launch of MyDoom.A, which already accounts for up to 30% of all e-mail traffic globally and is estimated to have generated over 100 million infected e-mails in its first 36 hours.
"MyDoom.B launches distributed denial of service attacks on both www.sco.com and www.microsoft.com, and prevents infected machines from accessing anti-virus sites, including www.f-secure.com," says Price. "This means that infected machines will not be able to receive anti-virus updates and will therefore result in untold aggravation for network administrators."
Price adds that the worm uses the same scrambling technique as the previous variant, ROT13, and shares most of its features. The worm spreads through peer-to-peer networks or arrives in e-mail with subject lines such as: Status, hi, Delivery Error, Mail Delivery System, hello, Error, Server Report or Returned mail. The new variant apparently evades detection measures for the original virus.
The worm will perform a distributed denial-of-service (DDoS) attack against www.microsoft.com on 3 February at 13:09:18 (UTC) and www.sco.com on 1 February at 16:09:18 (UTC). The DDoS attack launches seven threads against www.sco.com every 1 024 milliseconds. The other DDoS attack launches 13 threads against www.microsoft.com every 1 024 milliseconds. The hosts file in the infected machines will be modified so that 65 domains belonging to anti-virus companies and other commercial sites are resolved to the IP address 0.0.0.0, rendering them inaccessible.
"MyDoom.A and MyDoom.B appear to have been written by the same author as part of a planned, sophisticated, sequential attack," says Ken Dunham, director of malicious code at iDefense.
"It`s feasible that MyDoom.A computers are now being used to help launch MyDoom.B, via the proxy set-up supported by the worm. If this is the case, MyDoom.B will likely become very prevalent in the wild in just a few short hours. However, this does not mean that millions of computers are infected but that millions of e-mails harbouring the worm are in the wild."
Related stories:
FBI, reward against MyDoom creators
Hi to MyDoom
Share