New MyDoom version begins rampage
- By William Jackson
- Feb 09, 2004
A new version of the MyDoom virus is spreading in the wild, according to security consultancy iDefense Inc.
The new worm, MyDoom.c or DoomJuice, spreads over network connections to an open port on computers already infected by earlier versions of the worm. It appears to correct a coding error in the last version of the worm and launch an attack against Microsoft Corp.'s Web site, said Ken Dunham, director of malicious code for iDefense of Reston, Va.
'MyDoom.c is now launching a distributed denial-of-service attack against microsoft.com,' Dunham said. 'If it becomes widespread, microsoft.com will likely become unavailable.'
MyDoom appeared last month. Spreading by e-mail, it quickly infected 800,000 computers worldwide. It mass-mailed itself to new targets, launched a denial-of-service attack against SCO Group Inc. of Lindon, Utah, and installed a back door in infected computers, opening TCP Port 3127.
A subsequent version, MyDoom.b, appeared within two days programmed to launch an attack against Microsoft but did not gain the ground of its parent and had no serious impact on Microsoft's site. The code in the two initial versions of the worm appears to cease attacks on Feb. 12, although if their penetration goes unnoticed, they leave Port 3127 open to other attacks.
The latest version spreads to computers listening on Port 3127. Once inside, Version C executes, creating a copy of itself in the Windows System directory and begins scanning for new targets.
'The source code for MyDoom.a is copied to the local drive when MyDoom.c is executed,' Dunham said. 'This will undoubtedly encourage new MyDoom-like worms to emerge in the future.'
Analysis of the worm is continuing, but the new version appears to include source code from MyDoom.a, fixes a buggy date comparison problem for MyDoom worms, does not have a back-door component and has no kill date, Dunham said.
The worm could mark a trend for the coming year.
'Get ready for noisy e-mail worms in 2004,' he said. 'We are going to see a lot more of MyDoom and similar worms that generate a high volume of e-mail and disrupt the Net at large.'
William Jackson is a Maryland-based freelance writer.