pl.net mydvar 29-1-2004

Posted on 29-10-2004

MyDoom variant emerges, targets Microsoft

A variant of the MyDoom worm has emerged as the most devastating virus since last summer, and is likely to target Microsoft Corp.'s website, security experts said today.

Since appearing earlier this week, the worm, also dubbed Novarg or Shimgapi, has infected computers across the globe by enticing users to open a file attachment that releases a program that potentially allows other attackers to gain unauthorised access.

The financial damage from the virus-like program -- from network slowdown to lost productivity -- is already being measured in the billions of dollars, according to anti-virus vendors.

The latest version of the worm is designed to flood Microsoft's website with requests for information in an attempt to bring it down, experts said on Tuesday. This strategy is similar to that of the first version, which targeted the website of the SCO Group Inc., the small software maker suing International Business Machines Corp. over the use of code for the Linux operating system, they noted.

"It's interesting in that it potentially has a denial of service attack on Microsoft," said Jimmy Kuo, a researcher at Network Associates Inc.'s McAfee anti-virus unit.

Kuo said that it was difficult to tell whether the variant, called "MyDoom.b," was spreading across the internet, or "in the wild." So far, anti-virus companies have received and analysed the variant from only a few sources.

The MyDoom variant appeared to have other similar aspects to the first version, in that it exempts e-mail address for government agencies, some universities, and other computer security companies, including Symantec Corp.

Computers running any of the latest versions of Microsoft's Windows operating system e-mail program are at risk of being infected, although the worm doesn't exploit any flaws in Windows or software.

Instead, MyDoom is designed to entice the recipient of an e-mail to open an attachment with an .exe, .scr, .zip or .pif extension.

Since the worms often appear as error messages from "Mail Administrators" and other official-looking addresses, many inevitably open an attachment after finding minimal information in the message. Users who receive the worm and simply ignore or delete it will be able to avoid any damage.

In response to the worm's targeting its website, SCO offered a $250,000 reward for "information leading to the arrest and conviction of those responsible for this crime." SCO has drawn the ire of many Linux advocates for its claims that Linux software includes copyrighted code from the Unix operating system.

The attacks from infected computers on SCO and Microsoft are scheduled to begin on Feb. 1 and continue to Feb. 12.