MyDoom.F Spreads Carnage with Malicious Payload

The latest iteration of the MyDoom worm, “MyDoom.F,” has Internet security experts worried because, in addition to triggering denial-of-service (DoS) attacks, it also can delete files from infected computers. MyDoom.F was first identified last Friday and has picked up steam in just the last few days, Sophos senior technology consultant Graham Cluley told the E-Commerce Times.

“Because it came out just before the weekend, fewer people were opening their e-mails,” Cluley said. “But by Monday morning, with people having to plow through spam and other [e-mail], the virus then reaches a critical mass — a shooting star, if you will — and causes more problems.”

Richard Stiennon, vice president of research for Internet security at Gartner, told the E-Commerce Times that MyDoom.F will raise awareness of the mass destruction malware can cause. In the past two years, most worms have caused damage merely by spreading. Destruction of files could have a much greater economic impact and be especially painful for consumers.

In addition to its ability to delete files, MyDoom.F aims to turn infected computers into zombies that will launch DoS attacks on Web sites belonging to Microsoft and the Recording Industry Association of America (RIAA). Unlike MyDoom.A, which targeted The SCO Group’s Web site but had a relatively small attack window of several days, MyDoom.F’s expiration date for performing DoS attacks is February 16, 2006 — almost two years after its introduction into the wild.

The worm affects computers running all versions of Microsoft Windows, from Windows 95 to Windows XP, and targets the C to Z drives, whether they are local or networked. Computers running Linux or Mac OS are not affected, though their e-mail boxes may become clogged by spam generated by the worm.

Purely Vandalism

According to Cluley, MyDoom.F tries to destroy a wide range of files for no apparent reason beyond pure vandalism. He estimated the worm’s overall success rate as averaging about 40 percent, adding that a number of different conditions determine the worm’s success or failure in this regard.

Among the files MyDoom.F attempts to delete are .bmp and .jpg graphic files, .avi movie files, Microsoft Word .doc files, Microsoft Excel .xls files, and Microsoft Access .mdb files.

Deletion of graphic and video files has the potential to spark major upset among home PC users, according to Cluley, because those users often store family memories and communications with loved ones using such files.

By targeting productivity files, the worm also has potential to wreak havoc on businesses, although most businesses have stricter backup and security regimes than the typical home user, Cluley said.

Assault and Capture

Determining the MyDoom.F writer’s motive is difficult, Cluley added. However, he said he thinks the writer might be sympathetic to people whom the RIAA is targeting in its campaign of lawsuits against illegal file-sharers. Notably, the virus is not targeting music files with extensions of .mp3 or .wma.

Even more difficult is determining the identity of the virus writer who based MyDoom.F on the original MyDoom’s source code and then altered the payload.

Unlike the original MyDoom virus, MyDoom.F is what Cluley called a “tagged” virus. In the decrypted worm body, a signature reads, “I am ‘Irony’, made by jxq7.”

“If the writer used this nickname in other areas of interest, this may help in capturing” the culprit, he said. “But out of the 88,000 or so computer viruses that exist, fewer than 20 of the writers have been arrested.”

For his part, Gartner’s Stiennon estimated there are about 30,000 individuals who spend a significant portion of their time hacking. While that is a finite number, it still makes any motivation possible for making a destructive piece of software.

What To Do? The Usual

Cluley went on to say that, on the enterprise level, most virus-infected e-mail is stopped at the e-mail gateway and through antivirus software installed throughout the organization. He recommended that enterprises automate the update process and apply the latest Microsoft security patch so that client users need not worry as much about potential infections.

At the same time, he recommended that IT departments take an extremely proactive stance on virus protection — one that goes beyond educating users not to open unexpected, unsolicited e-mail attachments.

“Make it so no executable code comes into users’ e-mail boxes,” Cluley said. “Have it instead go straight through the IT department, where they can then check if it has been properly licensed and isn’t a virus. Letting .exe files go to users isn’t a safe way to run a business.”