News

MyDoom Gets Worse

• By Scott Bekker
• January 29, 2004

The new variant, called MyDoom.B or Novarg.B, is also a mass-mailing worm but contains a few nasty twists. Like MyDoom.A, the variant harvests e-mail addresses from various places, loads a backdoor program that allows outsiders to connect to a TCP port and adds a registry entry to enable it to run at startup. But the new version also can propagate through the Kazaa file sharing service and it attempts to prevent the computer from connecting to dozens of security Web sites that potentially have fixes for the worm.

Another change in MyDoom.B: it apparently doesn't target SCO Group Inc.'s Web site for a Denial-of-Service attack starting on Feb. 1, it targets Microsoft's site instead.

Malware researchers at the U.K.-based outfit mi2g declared on Thursday that the two versions of MyDoom combined to become the second-most damaging instance of malware yet recorded. The digital risk firm estimated the damage at nearly $23 billion from loss of business, bandwidth clogging, productivity erosion, management time reallocation and cost of recovery.

According to mi2g, MyDoom now trails only Sobig ($37 billion) for the title of worst malware by economic damage. The damage estimate is a big change after mi2g estimated the damage as relatively steady at $3 billion on Wednesday prior to the B variant's emergence.

Although the original MyDoom outbreak was the fastest-spreading computer virus yet, many corporate users experienced relatively few problems in Round One because their networks had been set up to screen questionable attachment types in the wake of Sobig and other late summer attacks. But some organizations were extremely worried about some of the new infection methods engineered into MyDoom.B.

"I see the ability to replicate as Kazaa as a bigger threat to us because we have no real method in place for preventing users from using Kazaa at the moment. Due to 'academic freedom' we have not blocked the use of Kazaa at the network level," said a server administrator at a U.S. university.

Meanwhile, Web server research outfit Netcraft raised interesting questions on Wednesday about SCO's ability to cope with the expected DoS attack from MyDoom.A. Microsoft has skated through similar attacks in the past by turning to content distribution networks to help host Microsoft.com. Microsoft has been willing to use Akamai, resulting in its pages being served by Linux machines on Akamai's networks.

Netcraft points out that SCO's ability to turn to a CDN for relief may be impaired by its major intellectual property litigation against Linux. The three largest CDN providers are Akamai, Cable & Wireless and Speedera and all make extensive use of Linux, according to Netcraft.

Stephen Swoyer contributed to this report.