Internet security companies have discovered a third
version of the MyDoom e-mail worm circulating on the
internet.
MyDoom.C is a modified copy of the virus that ravaged the
internet last month. Unlike its predecessor, however, the variant
does not use e-mail or the Kazaa peer-to-peer network to spread and
is not expected to make much of an impact on the internet, said
managed security services provider LURHQ.
MyDoom.C both refines and tames the earlier version of the
virus, known as MyDoom.A. Among other changes, the virus fixes
problems with the original MyDoom e-mail worm, including errors in
the worm's code that made it impossible for many MyDoom-infected
machines to launch a programmed denial-of-service (DoS) attack
against the SCO Group's website.
Gone also is the expiry date that told machines infected with
the original MyDoom virus to stop their DoS attack on 12 February,
and instead of depositing a file that opens a backdoor on infected
machines, the virus distributes a compressed archive of the worm's
original source code.
However, the MyDoom.C author also removed many of the most
dangerous features of the original virus, including the highly
efficient SMTP engine that enabled infected machines to spew out
e-mail messages containing the virus.
That component made the original MyDoom worm the fastest
spreading e-mail worm in history, easily defeating Sobig-F, the
previous record holder.
Instead, MyDoom.C seeks out and infects machines already
infected with the original MyDoom virus by searching for machines
listening on port 3127, a telltale sign of MyDoom infection, said
security company iDefense.
That approach will give MyDoom.C a solid base of as many as
500,000 machines, but will keep MyDoom.C from spreading much beyond
the community of already-infected machines.
The MyDoom.C author also removed a Trojan horse back door, but
included a copy of the worm's source code, which is deposited on
machines infected with the new variant.
MyDoom.C leaves SCO's website alone, but continues the attack on
Microsoft site introduced by MyDoom.B.
The variant does not remove existing versions of the virus and
can even run alongside them, said Joe Stewart, senior security
researcher at LURHQ.
If started on or between 8 February and 12 February, MyDoom.C-
infected machines will launch randomly timed DoS attacks against
Microsoft.com. Machines started after 12 February will launch
constant attacks against Microsoft's site.
An analysis of the worm's code also uncovered an IP address
linked to Ford's web
page, www.ford.com, although it
is unclear whether the worm targets Ford.
The lack of aggressive spreading features, a staple of most
e-mail worms, and the inclusion of the MyDoom.A source code may
mean that the MyDoom author is closing shop and handing off his
creation to other virus writers to refine, LURHQ said.
"I don't think the internet will shake from this one," said Ian
Hameroff, senior security strategist at Computer Associates
International.
CA researchers consider the new worm to be a different threat
than MyDoom.A, based on a comparison of the two worms' underlying
code, and are calling the new threat "DoomJuice", Hameroff
said.
While the worm does not pose a risk to Internet users who are
not already infected with an earlier version of MyDoom, the wide
distribution of the MyDoom. A source could pose a serious risk to
the overall security of the internet, Stewart said, adding that
uncompiled code could only have come from the MyDoom author and
could be useful to less experienced virus writers.
"There's lots of stuff in there - the modified SMTP engine, the
spreading algorithm, how MyDoom.A spreads over Kazaa, how it gets
e-mail addresses off the hard drive."
Even inexperienced computer programmers could take the code,
make small adjustments to it, recompile it and release their own
version of MyDoom,.
"The thing I'm most concerned about is, with the source code
being available, who's going to take it and what are they going to
do with it, " Stewart said. "I think we're going to get copycats on
this one."
Paul Roberts writes for IDG News Service