Search Engine Optimization, Blog Design, Movable Type Customization, and more.
Mark Carey
Mark Carey

MARK CAREY

Home

News I've Read

Comments I've Made

Aggreblog

Archives

Forum

Contact Mark Carey


My Sites:

Books as Blogs

Web Dawn

GoogleGuy Says

MT Hacks

Blog Spam Database

Blog Coop

Seinfeld Blog

Mars Rover Blog

Bermuda Blog

Photo Blog

Quote Blog

Media Blog

Sports Forum

eLearning

Curb Your Enthusiasm

Mark and Michelle's Wedding

Honeymoon in Egypt

Peru Travel Blog

Smells Like Sour

TV Blogs



My sponsered child, Hama from Niger, Africa
A portion of the proceeds from this site help sponsor Hama from Niger. Learn more about blog donations.

Third version of Mydoom has a surprise

As published by MSNBC.com:

Third version of Mydoom has a surprise
Author encourages copycats, attacks Microsoft again

By Bob Sullivan
Technology correspondent
MSNBC
Updated: 6:34 p.m. ET Feb. 09, 2004

A third version of the Mydoom virus was found by a virus researcher over the weekend, but this one only threatens computers already infected by the first Mydoom.

The new virus -- also being called "Doomjuice" by researchers -- doesn't spread via e-mail, so Internet users are unlikely to encounter it. It only attacks machines already infected with Mydoom, via the backdoor left by the original worm, said Joe Stewart of Lurhq Corp., who found the new worm on Sunday.

Stewart said consumers had little to fear from the new worm. "In terms of getting this on your system, you don't have to worry about it unless you are already infected, in which case, you already have problems," Stewart said.

Nevertheless, it is spreading, worming its way around the Internet in the background, said Vincent Gullotto, virus researcher with Network Associates Inc. He believes some 50,000 to 100,000 computers are still infected by the original MyDoom, and will likely be found and infected by the new Mydoom in the next week or two. He said the firm has trapped 10 copies of Mydoom.C on computers designed to catch new worms, but no customers had reported infections.

The new worm no longer attempts to attack The SCO Group, as the first two variations of the worm did, but instead focuses all its energy on attacking Microsoft.com. Unlike its predecessors, the new Mydoom's denial of service attack is not set to expire.

Leaves behind source code
But the worm has a characteristic that disturbs virus researchers. With each infection, the new worm places a copy of the original Mydoom source code on the infected machine's hard drive. Researchers can only speculate on the reason -- perhaps to obfuscate the trail of researchers trying to hunt down the author, according to Mikko Hypponen at F-Secure Corp.

"The authors know the police [are] looking for them. And the best evidence against them would be the possession of the original source code of the virus," Hypponen said. "Before the Doomjuice incident, only the authors of Mydoom.A had the original source code. Now probably tens of thousands of people have it on their hard drive without knowing it."

Whatever the motivation, the ready availability of the virus source code -- which had been unavailable to this point -- is certain to encourage copycats to create additional variants of the worm, Gullotto said.

"We'll see more variants, it's all but certain now," he said.

Because of the similarity in programming styles, Stewart said he was convinced Mydoom.C was written by the same person or same group of programmers that authored the original.

"This could possibly be the end of his or her spreading of it," Stewart said. "He's almost saying, 'Hey, I'm done with this. Someone else run with it.' You don't find virus authors sharing their source code."

Posted by Mark at February 10, 2004 12:45 PM | TrackBack

Join the discussion:
 Replies   Last Reply at   Last Message 
0