MyDoom mutation attacks Microsoft
Published: 29 Jan 2004 09:50 GMT
A new version of the mass-mailing MyDoom virus has hit the Net, aiming data attacks at Microsoft's Web site and interfering with an infected PC's ability to access downloadable security-software updates, antivirus companies said on Wednesday.
"We are trying to understand [what the virus' authors are doing], but they are basically trying to stop people from going to security sites," said Sharon Ruckman, senior director for security response at security software maker Symantec.
MyDoom.B, the second version of the virus, is already spreading around the Internet, Ruckman said. It includes some changes to the email that carries the virus, including new subject lines and a message that mimics an error from Sendmail software, a common email gateway server.
The MyDoom virus, also referred to as a worm, started spreading on Monday and has swamped companies with a large number of email messages that appear to be errors returned from a mail server.
The virus-laden emails have an attachment that, when opened, installs a program on the victim's computer that opens up a software "back door." Attackers can then bypass the PC's security and turn the infected system into a "bounce point" for any network-based attack.
Both versions of the virus are also programmed so that infected PCs will send data to the main Web server of the SCO Group between 1 February and 12 February. The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.
On Tuesday, SCO offered a $250,000 (£136,563) bounty for information leading to the conviction of the person responsible for the MyDoom epidemic. Microsoft, which has offered similar bounties for information leading to the conviction of those responsible for the MSBlast worm and the Sobig.F virus, hasn't yet stated whether it will offer a reward related to MyDoom.
"This is all breaking fairly quickly, so we are focused on getting a grip on the technical issues," said Christopher Budd, security program manager for Microsoft's product support services. "As far as the applicability of our virus rewards program, we will look at that when we get this contained and understood."
The new version of the virus prevents PC users from going to security sites and could block some antivirus software from getting the latest updates. The new virus adds a file to the infected computer that tells it where to look for certain Internet addresses. Among the addresses are F-Secure's update site, Symantec's update site and Microsoft's downloads site.
Symantec confirmed that its users may have to delete the file before they can update their antivirus software, while Microsoft was still investigating the effect on Windows users.
"It will impede access to some Web sites, but we are investigating the issue," said Microsoft's Budd.
F-Secure has other ways of getting its software updated and so should not be affected by the issue, said Tony Magallanez, systems engineer with the Finnish antivirus company.
"In our software we have ways of circumventing that problem," Magallanez said. "We have multiple ways of updating the program and our software will fail-over to the alternate methods."
Symantec, F-Secure and other antivirus companies are currently analysing the new mass-mailing virus.
Did you find this article useful?
87 out of 162 people found this useful
- Share this article:
