MyDoom worm leaves a legacy
- By William Jackson
- Feb 06, 2004
After their initial rampage, the MyDoom or Novarg worms have slowed down but may haunt the Internet for some time to come.
Although most federal systems were untouched, in infected systems the worm and its variants opened a back door into each computer's TCP port. Hackers can exploit the doors long after the worms have stopped spreading.
'We've seen about 5,000 IP addresses scanning' for a back door, said David Loomstein, group product manager of the security response team at Symantec Corp. of Cupertino, Calif. There's no certainty yet who is doing the scanning or why, Loomstein said.
MyDoom, which appeared Jan. 26, quickly became one of the most successful e-mail worms in history. It spread by generating mail to addresses harvested from infected computers. But it contained instructions to avoid sending to .gov and .mil domains'apparently to avoid unwanted federal attention.Targeting SCO, Microsoft
In addition to the back-door code, the original worm also carried instructions to launch a denial-of-service attack against the Web site of SCO Group Inc. of Lindon, Utah, on Feb. 1. A MyDoom.b variant was programmed to attack the Microsoft Corp. site on Feb. 3.
The SCO site fell under the attack traffic. An alternate site, www.thescogroup.com
, will remain online until at least Feb. 12, when the MyDoom attacks are expected to stop.
The Microsoft attack never got up much steam, although security analysts reported some speed degradation at www.microsoft.com
Microsoft has a distributed system for serving Web content, however, so it is more resistant to denial-of-service attacks. Also, the MyDoom.b variant targeting it never became as widespread as the original worm.
Time also was on Microsoft's side. By Feb. 1, the cleanup of infected machines had begun to outpace the rate of new infections.
Initially there were up to 800,000 infections per day, but that figure dropped to 200,000 a day by Feb. 1, said Vincent Gullotto, vice president of the antivirus emergency response team at Network Associates Inc. of Santa Clara, Calif.
William Jackson is freelance writer and the author of the CyberEye blog.