A back door to computer systems opened by the Mydoom e-mail worm is turning into a bonanza for thousands of hackers, who are scanning the internet furiously for infected systems, security experts have warned.
The opening in the defences of infected computers could allow malicious hackers to secretly install a Trojan horse program, keylogging software or simply peruse files on infected systems, and may make clean-up after Mydoom difficult, anti-virus companies said.
Mydoom, which first appeared on Monday, is still spreading on the internet and is believed to have infected between 100,000 and 300,000 systems worldwide, according to the McAfee anti-virus division of Network Associates.
"Mydoom is still going strong, we're not seeing any signs of it slowing down," said Craig Schmugar, virus research manager at the company.
One large corporate customer reported receiving 160,000 Mydoom-infected e-mails an hour on Wednesday, he said.
McAfee researchers and those at other anti-virus companies have also spotted another Mydoom trend - thousands of computers scanning for a range of TCP (Transmission Control Protocol) ports opened by the worm.
Those open ports, which range between number 3,127 and 3,198, are open doors for malicious hackers, said Oliver Friedrichs, senior manager of Symantec Security Response.
Attackers just have to connect to the open port and upload spyware or other malicious programs, he said.
"This could mean there are a bunch of attackers out there looking for machines to compromise," NAI's Schmugar said.
Symantec counted 2,100 unique systems scanning for the Mydoom back door on Wednesday. NAI puts the number at 2,500 systems and says that as many as 7,500 infected systems may have been targeted since late Tuesday, when researchers first noticed the behaviour.
Removing Mydoom will close the back door, removing the threat, Friedrichs said. However, if a malicious hacker gets to an infected system first, clean-up is more complicated, he warned.
Many anti-virus programs can spot common Trojan horse and keylogging software, but might not detect every program.
Owners of infected systems would need specialised software that just looks for such programs, he said. "This could turn into a big mess.”
While that is possible, most users will be well served with an up-to-date anti-virus package and an internet firewall, which can spot Trojan activity on an infected system, said Richard Smith, an independent computer security consultant.
Also, some of the scanning may come from system administrators who are trying to spot infected machines so they can disinfect them, Schmugar said.
The internet community should be more worried about the hundreds of thousands of Mydoom-infected computers that are now at the beck and call of the Mydoom author, Smith said.
"Anything more than 50,000 systems is scary," he said. "The author knows where the systems are and he can easily upload software to them."
The Mydoom-B variant which appeared Wednesday included features for cutting off access to anti-virus websites and may be an effort to further groom the population of infected machines.
A zombie network that large could be used to distribute spam, viruses or internet scams. "Whoever is behind [Mydoom] could cause a lot of mischief,” he said.
Paul Roberts writes for IDG News Service