Another MyDoom Worm Targets Already-Infected Machines

A new MyDoom worm targets already-infected machines, conducts yet another denial of service attack on microsoft.com, but unlike its predecessors, has no shut-off date.

Gregg Keizer, Contributor

February 10, 2004

4 Min Read
InformationWeek logo in a gray background | InformationWeek

Just days after an analyst warned enterprises to purge their systems of the original MyDoom worm, confirmation of the advice came with the arrival Monday of another variant that targets already-infected machines, conducts yet another denial of service attack on microsoft.com, and unlike its predecessors, has no shut-off date.

Security intelligence firm iDefense first captured MyDoom.c--a.k.a. "SyncZ" and "Doomjuice"--early Monday, said Ken Dunham, the company's director of malicious code research. The new variation, the second such copycat, spreads by scanning for computers on a network which are listening on TCP port 3127, a port opened by the original MyDoom.

When it finds an infected computer--worldwide estimates range as high as half a million machines--MyDoom.c uploads a copy of itself to the computer to re-infect the PC with a new, more persistent version.

"Early analysis of MyDoom.c indicates that this last variant is a very aggressive denial-of-service (DoS) attack worm," said Dunham in an e-mail to TechWeb. "If so, with no kill date, this worm could cause significant problems for DoS targets over the next few months."

MyDoom.c targets microsoft.com, said Dunham, who noted that the Redmond, Wash.-based developer's host name is embedded in the worm's code. If the date is between the first and the 11th of the month, MyDoom.c attacks microsoft.com with a single GET command over Port 80, then waits at various intervals before repeating. If the date is the 12th of later, however, it continually attacks Microsoft's Web site.

"Microsoft.com will likely be hit with an increased number of GET requests today," said Dunham, "with many more on the 12th and following. This correlates to the kill date for MyDoom.a, which attempted to kill itself on the 12th."

MyDoom.c differs from its predecessors in that it doesn't sport an automatic self-termination date. The original MyDoom--now typically tagged as MyDoom.a--included a February 12, 2004 "kill date."

Nor does MyDoom.c spread through methods used by MyDoom.a or the first variant, MyDoom.b: it doesn't rely on either e-mail or the KaZaA file-sharing network to propagate, instead using its constant scanning for already-infected computers.

The one glimmer in MyDoom.c is that it lacks a backdoor component, which MyDoom.a/b snuck into compromised machines. Such backdoors are used by attackers to install other malicious code to MyDoom-infected computers, often with the idea of using them as proxies to deliver spam or conduct additional DoS attacks.

MyDoom.c is dangerous, said Dunham, because of its sly nature--it doesn't arrive as an e-mail attachment, a tactic that can be defeated simply by not opening the file--and the large numbers of MyDoom-infected computers. "It has the potential of spreading to 500,000 or more computers easily in the first week," he said.

"MyDoom.c is now launching a DoS attack against Microsoft.com. If it becomes widespread Microsoft.com will likely become unavailable," he said.

That didn't happen Monday, although the site's responsiveness definitely took a hit.

Web monitoring firm AlertSite early Monday noted a dramatic fall-off in the performance of microsoft.com, said Ken Godskind, the company's vice president of marketing. "At 6 a.m. Eastern, the site's performance was three times slower than normal," he said. The site's responsiveness dipped during the next hour to six times slower than usual before rebounding between the hours of 9 a.m. and 10 a.m. "Whatever Microsoft did, they stopped it dead around then," Godskind added.

According to AlertSite's monitors, for a short time microsoft.com was available only about 70 percent of the time.

Last week, Martin Reynolds, an analyst with Gartner, recommended that enterprises and consumers immediately take steps to cleanse their computers of all evidence of MyDoom. "The threat will not end until the MyDoom executable has been removed from all infected PCs," he said in a statement last week.

MyDoom's infection vector is similar to that used by 2003's damaging MSBlast, which also avoided e-mail as a propagation technique, and instead directly attacked vulnerable systems by scanning ports and copying itself to vulnerable machines.

As of mid-morning Monday, few of the major anti-virus firms had updated their definition files to account for the new MyDoom variation. Symantec was among the few that had produced updates.

MyDoom.c can affect systems running Windows 95, Windows Me, Windows 2000, Windows NT, Windows XP, and Windows Server 2003

Read more about:

20042004

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights