MyDoom.B Variant Spreads, Blocks Access to Security Updates

Marking a new level of sophistication in computer attacks, a variant of the MyDoom worm -- described as the fastest-moving virus in history -- is following up on the first worm's success with a new outbreak.

While antivirus experts indicated MyDoom.B is not spreading nearly as quickly as MyDoom.A -- which generated an estimated 3 million copies and at its peak accounted for one in every eight pieces of e-mail sent on the Internet -- the variant might prove difficult to remove because it blocks access to 65 security and antivirus sites.

The MyDoom.B variant, which works in tandem with the original worm, highlights a trend toward planned, consecutive attacks that make variants much more troubling, iDefense director of malicious code Ken Dunham told TechNewsWorld.

"In the past, we'd typically see a worm come out followed by minor, piddly variants that weren't that disruptive in the wild," Dunham said. "Now, the variants' impact has gone up significantly. They're more carefully coordinated in sequence."

Piggyback Procedure

Dunham said the MyDoom.B variant, which may be getting help in its proliferation by relaying itself through machines infected with MyDoom.A, appears to have been prepared ahead of time for a successive, planned attack.

Dunham said he questions how the MyDoom.A attacker could be notified of infections, which cede control of computers to be used in denial-of-service (Dos) attacks on the Web sites of Microsoft (Nasdaq: MSFT) and The SCO Group next week. However, the MyDoom.B variant does include a notification component, giving credence to the theory that the same author created both worms.

"It appears that this new worm family is a planned, sophisticated, sequential attack," Dunham said. "It is likely that additional attacks of this nature will appear in 2004."

Money Motive

McAfee Avert virus research manager Craig Schmugar, who reported MyDoom.A had infected an estimated 400,000 to 500,000 machines as of Thursday, told TechNewsWorld that the motivation behind the worm and its variant is money. Schmugar said the fact that both MyDoom.A and the MyDoom.B variant can be set to send spam indicates a financial motive.

"Somebody's getting paid to do this," Schmugar said.

Dunham agreed, adding that with money as the motive, attacks are on the rise and the perpetrators behind them are putting more time and effort into developing malicious code.

"The combination of spam technology and making money have definitely changed the nature of attacks today," Dunham said.

Removal Difficult

Compounding the impact of the MyDoom.B variant, the virus blocks access to antivirus and other security sites, which means users could have a hard time patching infected computers.

Dunham said this additional trick could help the MyDoom.B variant -- which updates itself on machines infected by MyDoom.A and also spreads as a randomized e-mail and peer-to-peer worm -- have extended success.

"The point is what are you going to do because the average user does not know how to perform this kind of manual removal," Dunham said.

Hammering the Net

Experts said the MyDoom.B variant does not appear to be spreading at nearly the same pace as its predecessor. Dunham, however, said it could be a controlled spread or might not be as easily detected as the MyDoom.A worm.

The original worm, meanwhile, continued spreading late this week. Schmugar said that while a drop-off is expected on MyDoom.A's end date of February 12th, its current spread prompted McAfee's Avert to double the estimate of infected machines, which is now a half million at the high end.

"MyDoom.A continues to hammer the Net with e-mail traffic," he said.