MyDoom.f Spreads, Deletes Files

MyDoom.f, a worm first discovered last Friday, continues to spread, security experts said Wednesday, and unlike other variants of the persistent MyDoom, it can wreck havoc on the infected machine by randomly deleting files, including documents created with Microsoft Word and Excel.

"This worm is being sighted in larger numbers, suggesting that not all computers are properly protected," said Graham Cluley, senior technology consultant for Sophos.

MyDoom.f, whose payload arrives in an attached file in an e-mail message with a large number of possible subject lines -- including "Read this," "Your order is being processed," and "Bug" -- installs malicious code that, among other tasks, conducts denial-of-service attacks (DoS) against microsoft.com, and riaa.com.

The riaa.com site is the Internet home of the Recording Industry Association of America, the group responsible for bringing lawsuits against illegal music file sharers. Early Tuesday, AlertSite, a Web monitoring firm, reported that riaa.com showed a significant drop in performance due to the DoS attack; between 9 a.m. and noon Tuesday, riaa.com was available only about 74 percent of the time.

"It appears that the site was affected yesterday by the traffic generated by this latest revision of MyDoom," said Ken Godskind, the vice president of AlertSite.By Wednesday morning, riaa.com had recovered, and was available approximately 92 percent of the time, said Godskind. Microsoft's Web site, which has been the target of numerous DoS attacks over the past several weeks thanks to MyDoom variations, wasn't affected by this latest worm's assault.

MyDoom.f, which has been rated as a medium-level threat by most anti-virus firms, takes the MyDoom motif -- DoS attacks, the creation of a backdoor on the infected machine for possible use as a spam proxy -- and ups the ante by randomly deleting a number of file types on the compromised system.

MyDoom.f targets a variety of image files, as well as Microsoft Word documents and Excel worksheets, said security professionals. The full list of the file types targeted is: mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp.

"It deletes files with various levels of success," said Ken Dunham, the director of malicious code research for iDefense, "but it seems it manages to delete Word files about 40 percent of the time."

This is the first MyDoom variant that's had a direct, destructive impact on local machines infected with the worm.Most experts believe the author of MyDoom.f is a different individual than the creator of the original worm, thanks to clues in the code, and its destructive spin. "The source code for MyDoom was planted by Doomjuice," said Dunham, "and here you go. It's not surprising that variants continue to show up."

Although anti-virus firms have updated their definition files to take MyDoom.f into account -- deflecting it and destroying it when found -- users not guarded by anti-virus software who think their machines may be infected can download automated removal tools from such sources as Symantec and F-Secure.