Zindos capitalises on MyDoom.O infections

Anti-virus companies have issued warnings and software updates for a new internet worm, dubbed Zindos, which infects machines...

Anti-virus companies have issued warnings and software updates for a new internet worm, dubbed Zindos, which infects machines already compromised by the MyDoom.O worm and launches an attack on Microsoft's website.

Zindos.A takes advantage of an open back door in Windows machines which contracted the MyDoom.O worm.

While the worm has not knocked Microsoft's website offline and is not considered a serious threat by most anti-virus suppliers, the ease with which it spread raises questions about the ability of virus authors to control and plant malicious programs on machines infected by their creations, said Graham Cluley, senior technology consultant at antivirus company Sophos.

The Zindos worm spreads through TCP (Transmission Control Protocol) port 1034, which was opened by a Trojan horse program called Zincite that MyDoom.O deposited on Windows machines it infected, according to anti-virus company Symantec. 

MyDoom.O, referred to by some anti-virus companies as MyDoom.M is the 15th variant of the original MyDoom worm, which ravaged the internet in January.

Zindos can infect Windows machines without any interaction from the computer user, modifying the configuration of Windows so that the worm is started along with the Windows operating system. Once installed, Zindos begins searching for other MyDoom-infected machines to send copies of itself to, Symantec said. 

Zindos has not infected many of Sophos' corporate customers, which were also spared the worst of MyDoom.O. However, the worm may be causing more problems among home users with broadband internet connections who lack firewall or anti-virus software, Cluley said.

Sophos experts believe that  the MyDoom author created Zindos and that the follow-on infection may have been planned all along.

"There are similarities in the code," he said. "And, the way MyDoom opened the back door on computers, other viruses would have to know the right password to be able to use it - it's like knowing the right knock on the door to get into the private casino."

The MyDoom author has shown hostility to Microsoft in the past, Cluley observed. MyDoom.B, the worm's second version, also contained a preprogrammed denial-of-service attack against the software maker.

The Zindos worm also indicates the thriving interest among virus writers in building armies of compromised computers, or 'bots, which can be used to launch attacks or sold to others for spam distribution or other nefarious purposes, Cluley said.

"Owning a large network of zombie computers is a very powerful and rather valuable resource to have," he said.

Anti-virus companies advised customers to update their anti-virus software to obtain signatures that can spot Zindos, but only customers who have been hit by the latest MyDoom worm need to be concerned about this new worm, Cluley said.

Those affected by that worm should remove it from their computer and install antivirus software and a firewall to keep from being victimised by Zindos, too, he said.

Paul Roberts writes for IDG News Service

Read more on IT risk management