News

MyDoom.B Causes Microsoft Problems

• By Scott Bekker
• February 09, 2004

Although Microsoft enjoyed early success in fending off the distributed denial of service attack programmed into the fast-spreading MyDoom.B, the mass-mailing worm is inflicting an increasing amount of damage against the software giant's servers.

MyDoom.B was programmed to begin attacking Microsoft.com on Feb. 3. The original version infected computers then targeted the SCO Group with a DDoS that was almost immediately successful in taking out SCO's main sites, which remain down.

With a number of countermeasures, Microsoft was able to keep its sites performing at near normal levels through most of last week. But MyDoom.B, which "upgrades" computers infected with MyDoom.A and presses them into its attack against Microsoft, gained ground over the weekend.

"MyDoom is still out there and spreading. It has picked up momentum in the last 48 hours once again. This is a dangerous global epidemic. There are over a million computers still infected that have their backdoors open and they are being upgraded to MyDoom.B which targets Microsoft," DK Matai, executive chairman of the U.K.-based security firm mi2g, said in a statement on Monday.

Researchers at Netcraft recorded a five-hour outage of Microsoft's site on Sunday afternoon and are continuing to record spotty performance at the site. The attacks are scheduled to last until March 1. Users who urgently need information from Microsoft's site and are having problems can access a backup site Microsoft created at https://information.microsoft.com. Microsoft, like SCO, has offered a $250,000 reward for information leading to the arrest and conviction of the MyDoom authors.

In a move that both helps customers and potentially reduces the attack surface from which the MyDoom DDoS can target Microsoft, the company on Thursday posted a MyDoom removal tool.

The 109 KB tool checks for MyDoom.A and MyDoom.B infections and removes the worms if they're present. It also provides users infected with MyDoom.B with a new "hosts" file and sets the "read-only" attribute for that file. The worm variant blocks users from accessing Microsoft and anti-virus sites in an effort to keep users from downloading fixes.

As it comes from Microsoft, the tool naturally requires the user to accept an end user license agreement before running. The removal tool only works on Windows XP and Windows 2000. It is available at http://support.microsoft.com/?kbid=836528. Removal tools have been available from several anti-virus vendors since early in the outbreak. Unlike Microsoft's tool, some of those check for common worms and trojans other than MyDoom.