MyDoom Variant Emerges, Targets Microsoft
Wed January 28, 2004 02:38 PM ET
A variant of the MyDoom worm has emerged as the most devastating virus since last summer, and is likely to target Microsoft Corp.'s (MSFT.O: Quote, Profile, Research) Web site, security experts said on Wednesday.
Since appearing earlier this week, the worm, also dubbed Novarg or Shimgapi, has infected computers across the globe by enticing users to open a file attachment that releases a program that potentially allows other attackers to gain unauthorized access.
The financial damage from the virus-like program -- from network slowdown to lost productivity -- is already being measured in the billions of dollars, according to anti-virus vendors.
The latest version of the worm is designed to flood Microsoft's Web site with requests for information in an attempt to bring it down, experts said on Tuesday. This strategy is similar to that of the first version, which targeted the Web site of the SCO Group Inc. (SCOX.O: Quote, Profile, Research) , the small software maker suing International Business Machines Corp. (IBM.N: Quote, Profile, Research) over the use of code for the Linux operating system, they noted.
"It's interesting in that it potentially has a denial of service attack on Microsoft," said Jimmy Kuo, a researcher at Network Associates Inc.'s (NET.N: Quote, Profile, Research) McAfee anti-virus unit.
Kuo said that it was difficult to tell whether the variant, called "MyDoom.b," was spreading across the Internet, or "in the wild." So far, anti-virus companies have received and analyzed the variant from only a few sources.
The MyDoom variant appeared to have other similar aspects to the first version, in that it exempts e-mail address for government agencies, some universities, and other computer security companies, including Symantec Corp. (SYMC.O: Quote, Profile, Research)
Computers running any of the latest versions of Microsoft's Windows operating system e-mail program are at risk of being infected, although the worm doesn't exploit any flaws in Windows or software.
Instead, MyDoom is designed to entice the recipient of an e-mail to open an attachment with an .exe, .scr, .zip or .pif extension.
Since the worms often appear as error messages from "Mail Administrators" and other official-looking addresses, many inevitably open an attachment after finding minimal information in the message. Users who receive the worm and simply ignore or delete it will be able to avoid any damage.
In response to the worm's targeting its Web site, SCO offered a $250,000 reward for "information leading to the arrest and conviction of those responsible for this crime." SCO has drawn the ire of many Linux advocates for its claims that Linux software includes copyrighted code from the Unix operating system.
The attacks from infected computers on SCO and Microsoft are scheduled to begin on Feb. 1 and continue to Feb. 12.