More MyDoom Worms Expected

MyDoom, the Internet's fastest-spreading worm which first appeared two weeks ago and continues to plague Windows users worldwide, is still spreading. On Wednesday, security experts detected yet another sibling: MyDoom.d, also known as Doomjuice.b.

Like its immediate predecessor, MyDoom.c/Doomjuice -- which was discovered Monday -- the new variation scans for systems already infected with the original MyDoom or its copycat MyDoom.b, then re-infects the computer with a more persistent edition. So far, most security firms are reporting a very low number of MyDoom.b/Doomjuice.b interceptions. As of mid-morning Wednesday, for instance, Symantec had not yet received any MyDoom.d submissions from its customers, although it had tagged the worm as a "2" in its 1 through 5 severity ranking system.

Initial analysis, said Ken Dunham, the director of malicious code research for iDefense, indicates that MyDoom.d/Doomjuice.b is "nearly identical to MyDoom.a [the original edition]."

Both scan for an open TCP 3127 port -- a sign that a computer has been infected by MyDoom and not yet cleansed -- and install additional software on the machine. Both also target Microsoft's primary Web site for an aggressive denial-of-service (DoS) attack in an attempt to knock out the Redmond, Wash.-based developer's Internet presence.

The newest version of MyDoom/Doomjuice, however, boasts an even more effective DoS assault, according to security experts in the U.S. and Russia. Kaspersky Labs, based in Moscow, said Wednesday that MyDoom.d/Doomjuice.b will conduct a continual, multi-request DoS attack on microsoft.com in any month except January, and on all dates except those between the 8th and 12th of each month. MyDoom.c/Doomjuice, on the other hand, limits its attack to a single GET request up to and including the 12th of each month, after which it switches to a more aggressive multi-GET attack tactic.Kaspersky Labs' researchers also noted Wednesday that the author of MyDoom.d/Doomjuice.b is using a server request technique that's unusual for such worms. MyDoom.d/Doomjuice.b's request to microsoft.com mimics the Internet Explorer request text, making it very difficult for Microsoft to sort out the wheat (valid requests to its site from IE users) from the chaff (requests generated by MyDoom as part of its DoS assault).

"This potentially increases the destructive capabilities of the worm," said Denis Zenkin, a spokesman for Kaspersky Labs in an e-mail to TechWeb.

But it's the close similarity with the original MyDoom that's drawing interest from security experts like Dunham.

"MyDoom.d appears to be a slightly-modified MyDoom.a variant," he said, "a simple hack on the source code of MyDoom.a."

Dunham and others have theorized that the MyDoom.c/Doomjuice author -- who probably also was the creator of the original -- seeded infected computers with MyDoom source code as either an attempt to make it more difficult for authorities to prosecute if he is caught, or as a way to urge other hackers to take up the battle against Microsoft.The similarities between the new MyDoom.d/Doomjuice.b and the original MyDoom may be an indication, said Dunham, that the source code seeding was done for the latter reason, and could mean that these kinds of copy-cats will just keep on coming.

"Expect exploitation of these [MyDoom-infected] computer to continue, and multiple variants of MyDoom to appear now that the source code has been distributed by MyDoom.c/Doomjuice," said Dunham.