January 28, 2004 12:12 PM PST
MyDoom variant targets Microsoft
"We are trying to understand (what the virus' authors are doing), but they are basically trying to stop people from going to security sites," said Sharon Ruckman, senior director for security response at security software maker Symantec.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
MyDoom.B, the second version of the virus, is already spreading around the Internet, Ruckman said. It includes some changes to the e-mail that carries the virus, including new subject lines and a message that mimics an error from Sendmail software, a common e-mail gateway server.
The MyDoom virus, also referred to as a worm, started spreading Monday and has swamped companies with a large number of e-mail messages that appear to be errors returned from a mail server.
The virus-laden e-mails have an attachment that, when opened, installs a program on the victim's computer that opens up a software "back door." Attackers can then bypass the PC's security and turn the infected system into a "bounce point" for any network-based attack.
Both versions of the virus are also programmed so that infected PCs will send data to the main Web server of the SCO Group between Feb. 1 and Feb. 12. The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.
On Tuesday, SCO offered a $250,000 bounty for information leading to the conviction of the person responsible for the MyDoom epidemic. Microsoft, which has offered similar bounties for information leading to the conviction of those responsible for the MSBlast worm and the Sobig.F virus, hasn't yet stated whether it will offer a reward related to MyDoom.
"This is all breaking fairly quickly, so we are focused on getting a grip on the technical issues," said Christopher Budd, security program manager for Microsoft's product support services. "As far as the applicability of our virus rewards program, we will look at that when we get this contained and understood."
The new version of the virus prevents PC users from going to security sites and could block some antivirus software from getting the latest updates. The new virus adds a file to the infected computer that tells it where to look for certain Internet addresses. Among the addresses are F-Secure's update site, Symantec's update site and Microsoft's downloads site.
Symantec confirmed that its users may have to delete the file before they can update their antivirus software, while Microsoft was still investigating the effect on Windows users.
"It will impede access to some Web sites, but we are investigating the issue," said Microsoft's Budd.
F-Secure has other ways of getting its software updated and so should not be affected by the issue, said Tony Magallanez, systems engineer with the Finnish antivirus company.
"In our software we have ways of circumventing that problem," Magallanez said. "We have multiple ways of updating the program and our software will fail-over to the alternate methods."
Symantec, F-Secure and other antivirus companies are currently analyzing the new mass-mailing virus.