MyDoom Sequel Has A TwistMyDoom Sequel Has A Twist

Antivirus and Internet security firms are warning of a new variant to the MyDoom worm, and this time the author has it wired to not only launch a denial-of-service attack against SCO Group Inc.'s Web site on Super Bowl Sunday, but against Microsoft.com as well.

The new variant, known as MyDoom.B, began to appear late Tuesday. Its threat level was raised by many antivirus companies from low risk to medium risk by Wednesday afternoon.

While MyDoom.B is similar to the earlier version--aside from its adding Microsoft to its denial-of-service list--it also attempts to block users from being able to access 65 Web sites run by antivirus and security companies, security firm iDefense Inc. says in an advisory.

IDefense's advisory also theorizes that the new version may be using computers infected with MyDoom.A to help itself spread.

The trend of virus writers tweaking viruses and worms to quickly produce new, more-destructive variants is gaining momentum. In the fall, the MiMail.c worm wreaked havoc on Internet users; it was largely based on the MiMail worm that appeared in August. And the Sobig worm, ranked before MyDoom as the most virulent Internet worm ever, packed a nasty one-two punch against computer systems in August and September.

The most dangerous aspect of this MyDoom outbreak, experts warn, is that many users, especially home and small-business users, may neglect to clean the Trojan horse that MyDoom inserts into infected systems. This Trojan horse could potentially be used by any hacker--not just the author or authors of MyDoom--to take control of infected systems. "The possibility exists that users will just update their antivirus signatures and not clean this off of this systems, exposing themselves and others to further attack," says John Pescatore, a research director at Gartner.

The MyDoom.B variant began striking just after antivirus firms had started to see a drop in activity surrounding MyDoom.A. According to Symantec Security Response, the submission level of MyDoom.A leveled at about 80 submissions every hour by early Wednesday, then nearly doubled to up to 140 submissions per hour by the afternoon.

Also, secure E-mail services provider MessageLabs is reporting that it has intercepted more than 3 million E-mails carrying the worm, but the infection rate had peaked Tuesday at one in every 12 E-mails the firm scans.

More advice on defending against MyDoom is available at our Security Pipeline.

Perhaps the best advice in thwarting MyDoom-style mass-mailer worms, aside from running antivirus software at the desktop and E-mail gateway, is ongoing user-awareness training.

One midsize manufacturing company said that it managed to avoid widespread infection by strictly adhering to solid E-mail security policies. But the few times infections got through proved frustrating, if not humorous. These were because of user gaffes, rather than security technology shortcomings. According to a security pro at the company, one employee called for IT support after she attempted to open an E-mail infected with MyDoom.A. She complained, "It didn't do anything after I clicked on the attachment the first or even second time."