A new variant of the Mydoom.a worm, which has been
spreading swiftly across the internet, emerged yesterday (28
January), according to security supplier Mi2g.
The variant, Mydoom.b, has a larger payload and targets
Microsoft’s website for a distributed denial-of-service attack on 1
February, instead of SCO's website, which was targeted by the first
version.
Mi2g said although only minor changes to the text padding in the
malware have been made, it is possible that Mydoom.b can be
disseminated via infected computers turned into zombie machines by
Mydoom.a, as well as the Kazaa file-sharing system.
Mi2g said this could turn the whole Mydoom episode into a much
more adverse series of unfortunate events.
"This is an extremely unwelcome development. Mydoom.b may have
just multiplied the full impact of Mydoom.a a few fold," said DK
Matai, executive chairman of Mi2g.
"We know that many large and small organisations as well as
homes are struggling to cope with the deluge of e-mails originating
from the ‘a’ variant infections - never mind the arrival of ‘b’,
which shows signs of being just as vicious."
Early information indicates that the latest variant is likely
spreading in the wild, said Ken Dunham, director of malicious code
at security consulting company iDefense.
Dunham said the Mydoom.b worm modifies the standard hosts file
in a Windows folder that can block access to 65 websites, most of
which are anti-virus websites, in an apparent attempt to block
users from downloading anti-virus solutions and data.
"This 'b' variant of Mydoom is worse than Mydoom.a," he said.
"An attack on the Microsoft.com website could cause a significant
disruption of services for users worldwide."
"It’s feasible that Mydoom.a computers are now being used to
help launch Mydoom.b, via the proxy setup supported by the worm. If
this is the case, Mydoom.b will likely become very prevalent in the
wild in just a few short hours."
He said computer users should be on guard for a succession of
worm attacks this year.
Security supplier BitDefender said Mydoom.b is only slightly
different from the first virus variant.
"Still, we can expect a new wave of infections, as the author
already has a base target," said Mihai Neagu, a virus researcher at
BitDefender.
"It seems, by the sheer amount of the first version that got
sent through networks at this point, that many users will
inadvertently cause a new major outbreak."
Security software developer Kaspersky Labs claims that Mydoom.b
is scheduled to launch a DoS attack between 1 and 12 February on
both www.sco.com and www.microsoft.com.
"Our analysts believe that Mydoom.b is probably using machines
infected by the original Mydoom, which could mean as many as
600,000 units," Kaspersky Labs said.
"These infected computers may have received a command to send
out copies of Mydoom.b. Therefore, the computer community may be
facing a much more serious outbreak than the one caused by Mydoom.a
on 27 January."
Linda Rosencrance writes for Computerworld