New MyDoom Virus Now on the Loose

MessageLabs, Sophos and Keynote Systems have released alerts about the new W32.MyDoom.O worm variant that has been circulating the Internet today and causing traffic slowdowns.

This latest variant in the MyDoom virus family was first identified by MessageLabs at 4:40 ET July 26th 2004.

"Sadly, people and businesses fall prey to every one of these new virus variations, ensuring that new variants will be written and new systems compromised," noted Mark Sunner, CTO of MessageLabs.

"We are now on the 15th variant of Mydoom, on the heels of multiple new Bagle variants. For many virus writers, success is not measured in millions of copies being sent; it's measured in the number of new computers hijacked for future use."

General Characteristics of MyDoom.O

MyDoom.O is a mass-mailing worm with an SMTP engine that sends e-mails to addresses harvested from infected machines.

The sender's "from" e-mail address is forged, and therefore does not indicate the true identity of the sender.

MyDoom.O might also spoof from the mailer-daemon@ address, which is typically used to indicate a delivery failure, thus enhancing its social-engineering trickery.

The executable file is approximately 27,648 bytes in size. The virus is also packed with UPX v1.0x and stored in a ZIP attachment.

The virus is also being referred to as MyDoom.M, I-Worm.Mydoom.M, I-Worm.Mydoom.R and W32/Mydoom.L.

Additional Characteristics

The MyDoom worm can generate several different e-mails when spreading itself. A typical example sent by the virus looks as follows:

Dear user

Your account was used to send a large amount of spam during this week.

Obviously, your computer had been compromised and now runs a trojan proxy server.

Please follow instruction in order to keep your computer safe.

Have a nice day, user support team.

So, if your e-mail address was John.Smith@XYZCorp.com, the e-mail would be signed from the "XYZCorp.com user support team."

Spammers and User Computers

"Computer users are becoming aware that spammers take over innocent third party computers to send their marketing messages," said Graham Cluley, senior technology consultant for Sophos.

"This worm plays on that fear and pretends that users have already been hacked and exploited by spammers. All computer users should keep their anti-virus up-to-date and ensure they never launch an unsolicited e-mail attachment."

Sophos recommends that companies protect their e-mail with a consolidated solution to thwart the virus and spam threats as well as secure their desktop and servers with automatically updated antivirus protection.

General Network Slowdowns

Keynote Systems, a company that tracks Web site performance, has observed an atypical event today in which the Keynote Business 40 Internet Performance Index, a barometer of overall Internet speed, has degraded in both speed and reliability.

The Keynote Business 40 measures the download performance of the 40 most highly traveled, well-connected sites in the United States from 50 cities around the world.

Typical reliability for the sites on the index is 97 percent, while the download performance of the home pages of the sites on the Index is usually below 2.0 seconds. Beginning at 7:00 a.m. Pacific time today, reliability fell 1.5 percent points to 95.5 percent availability as measured on the leading backbones around the world.

Keynote believes that fallout from the MyDoom virus is causing the overall slowdown on the Internet and is also affecting in a sporadic but serious way the search performance of Google (Nasdaq: GOOG), Alta Vista and Lycos.

Keynote has done a series of automated instant search measurements from cities around the U.S. to ascertain these performance issues.