Security threats Toolkit

MyDoom trail traces back to single author

Tags:
Network Associates,
Andy,
Author,
Virus

Published: 03 Feb 2004 08:50 GMT

The two versions of the MyDoom virus may have the same parent, according to a security researcher.

The name "andy", which was left in the code by the author of the MyDoom virus, links the original program released a week ago with the B variant sent out two days later, Jimmy Kuo, McAfee fellow for security company Network Associates, said on Monday.

Other hints, including numbers that appear to designate the version of the program, indicate that the fast-spreading virus was created by a professional programmer.

"It looks like what someone would write when they check in source code," said Kuo, who has been researching the virus. "The interpretation is that 'andy' is the person checking the code in."

In addition, the author left a message in the second version of the virus for those with PCs infected with the program: "I'm just doing my job, nothing personal, sorry."

The MyDoom virus, also referred to as a worm, started spreading last Monday and has swamped corporate systems worldwide with a large number of email messages that appear to be errors returned from a mail server.

The virus-laden emails have an attachment that, when opened, installs a program on the victim's computer, in order to open up a software "back door." The attacker can then bypass the PC's security and turn the affected system into a "bounce point" for any network-based attack.

The first MyDoom is programmed so that infected computers will send data to the main Web server of the SCO Group between 1 February and 12 February. The second version of MyDoom is set to strike Microsoft's main Web site between 3 February and 1 March, in addition to hitting SCO. (The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.)

While some researchers believe the MyDoom code may have originated in Russia, it's almost impossible to pin down Patient Zero -- the first infected computer -- or the person actually released the virus, Kuo said.

Further analysis indicates that there may be some good news for Microsoft, Kuo said. A programming error in the virus may mean that, starting from Tuesday, only 7 percent of PCs infected with the B variant will actually attack Microsoft at the same time.

"We think that... 7 percent won't be that large a number," Kuo said.