MyDoom returns, targets Microsoft

Johannesburg, 10 Feb 2004

A new MyDoom-type network worm has surfaced, targeting Microsoft for a distributed denial-of-service attack.

Anti-virus vendors say the new worm appears to have been written by the authors of the aggressive MyDoom and MyDoom.B worms, which spread rapidly around the world recently.

The worm, MyDoom.C, Doomjuice or SyncZ, differs from MyDoom in that it spreads directly between infected computers, rather than via e-mail. The worm appears to be looking for computers already compromised by MyDoom and MyDoom.B, reinforcing initial theories that the MyDoom worms were unleashed as part of a planned, sequential assault.

Reports of another opportunistic worm, Deadhat, have also surfaced, but no infections have been reported yet.

"The Doomjuice worm has been programmed to start a distributed denial-of-service attack against www.microsoft.com after 8 February, which is when the worm was probably distributed," says Ryan Price, CEO of Y3K Security Products. "The attacks will continue forever and will try to overload the Web site by repeatedly reloading the front page."

MyDoom targeted the SCO Group and MyDoom.B targeted SCO and Microsoft. The SCO Group Web site was downed for over a week due to the attack, but Microsoft withstood the initial attack. Anti-virus vendors said this was partly due to the slower spread of MyDoom.B and the fact that a bug in the virus code limited the attack to only 7% of infected computers.

The latest MyDoom worm renews the assault on Microsoft, and Reuters reports that the software maker`s home page was slowed by the attack yesterday. However, Microsoft says all its online properties are stable and available to customers.

Microsoft and SCO have each offered rewards of $250 000 for the arrest and conviction of MyDoom`s authors.

Mikko Hypponen, director of anti-virus research at F-Secure, says that in addition to attacking Microsoft`s Web site, Doomjuice drops the original source code of the MyDoom.A worm in an archive to several folders of infected computers.

"The motivation to distribute source seems to be simple. The authors know the police are looking for them. And the best evidence against them would be the possession of the original source code of the virus. Before the Doomjuice incident, only the authors of MyDoom.A had the original source code. Now probably tens of thousands of people have it on their hard drive - without knowing it," says Hypponen.

Other anti-virus vendors estimate that up to 75 000 machines may still be infected.

Ken Dunham, director of malicious code at iDefense, warns that this could be the start of an unpleasant new trend. "Get ready for noisy e-mail worms in 2004. We are going to see a lot more of MyDoom and similar worms that generate a high volume of e-mails and disrupt the Net at large."