New variant of Mydoom on the loose

A new variant of the Mydoom.a worm, which has been spreading swiftly across the internet, emerged yesterday (28 January),...

A new variant of the Mydoom.a worm, which has been spreading swiftly across the internet, emerged yesterday (28 January), according to security supplier Mi2g.

The variant, Mydoom.b, has a larger payload and targets Microsoft’s website for a distributed denial-of-service attack on 1 February, instead of SCO's website, which was targeted by the first version.

Mi2g said although only minor changes to the text padding in the malware have been made, it is possible that Mydoom.b can be disseminated via infected computers turned into zombie machines by Mydoom.a, as well as the Kazaa file-sharing system. 

Mi2g said this could turn the whole Mydoom episode into a much more adverse series of unfortunate events. 

"This is an extremely unwelcome development. Mydoom.b may have just multiplied the full impact of Mydoom.a a few fold," said DK Matai, executive chairman of Mi2g.

"We know that many large and small organisations as well as homes are struggling to cope with the deluge of e-mails originating from the ‘a’ variant infections - never mind the arrival of ‘b’, which shows signs of being just as vicious." 

Early information indicates that the latest variant is likely spreading in the wild, said Ken Dunham, director of malicious code at security consulting company iDefense. 

Dunham said the Mydoom.b worm modifies the standard hosts file in a Windows folder that can block access to 65 websites, most of which are anti-virus websites, in an apparent attempt to block users from downloading anti-virus solutions and data. 

"This 'b' variant of Mydoom is worse than Mydoom.a," he said. "An attack on the website could cause a significant disruption of services for users worldwide."

"It’s feasible that Mydoom.a computers are now being used to help launch Mydoom.b, via the proxy setup supported by the worm. If this is the case, Mydoom.b will likely become very prevalent in the wild in just a few short hours." 

He said computer users should be on guard for a succession of worm attacks this year. 

Security supplier BitDefender said Mydoom.b is only slightly different from the first virus variant. 

"Still, we can expect a new wave of infections, as the author already has a base target," said Mihai Neagu, a virus researcher at BitDefender.

"It seems, by the sheer amount of the first version that got sent through networks at this point, that many users will inadvertently cause a new major outbreak." 

Security software developer Kaspersky Labs claims that Mydoom.b is scheduled to launch a DoS attack between 1 and 12 February on both and 

"Our analysts believe that Mydoom.b is probably using machines infected by the original Mydoom, which could mean as many as 600,000 units," Kaspersky Labs said.

"These infected computers may have received a command to send out copies of Mydoom.b. Therefore, the computer community may be facing a much more serious outbreak than the one caused by Mydoom.a on 27 January."

Linda Rosencrance writes for Computerworld

Read more on IT risk management