MyDoom spells more trouble

Related Links

• MyDoom virus takes new shape
• FBI tackles new virus
• MyDoom clogs up net
• The battle of the worm

Washington - The Mydoom worm wreaked more havoc on Wednesday after becoming the biggest internet virus thus far, but the worst damage may be yet to come, experts said as a new strain of the bug emerged.

Mydoom, which clogged the internet with more than 100 million infected e-mails in its first 36 hours, continued to multiply, Finland's F-Secure said.

Mydoom "has already spread more than Sobig.F", the security firm said in a statement.

"Current estimates show that currently between 20 and 30% of all e-mail traffic worldwide is generated by this worm."

The spread of the virus prompted an FBI investigation and a scramble to update software protection.

New version

But on Wednesday, experts found a new version of the virus, dubbed Mydoom.B, that evades detection measures for the original virus, and is programmed to launch attacks on Microsoft and SCO, owner of the Unix operating system, Finland's F-Secure said.

"The new virus has been modified so that the original Mydoom anti-virus protection does not detect it," Mikko Hyppoenen, director of F-Secure's anti-virus division, said.

Mydoom.B is designed to attack www.microsoft.com, the main website run by Microsoft Corp, as well as the website of US-based software vendor SCO, which had been the target of the original worm.

In Europe, the percentage of infected e-mails rose from 21% on Wednesday morning to over 33% in the afternoon, Hyppoenen said, citing statistics from several European Internet service providers.

But analysts said that the slowing or crashing of computer networks may only be the start of the problems from the worm, which installs a program on infected computers, allowing a hacker to take control and launch additional attacks.

Vulnerable

"It opens up your computer for further compromise," said Sharon Ruckman, senior director of Symantec Security Response. "It's like opening up a couple of windows in your house so someone can sneak in without your knowing it."

The so-called "back-door Trojan" program could allow a hacker to control an infected PC without the owner's knowledge, creating an army of "zombies" that are used to attack websites, Ruckman added.

Keith Peer, president and founder of the US-based security firm Central Command, said the installation of the so-called Trojan program could be a sign of other malicious intent.

"Someone who does this has intention to do harm," Peer said, adding that the virus creators "can now use the infected machines as an army for spam, or to attack other machines. They could focus this on any number of things."

Cleverly crafted

The remote control of other computers could be used for politically oriented attacks or for spam, in an effort to generate money.

He said the virus uses "a very cleverly crafted social engineering trick", making the e-mail appear to be an error response or a technical message, inducing more users to open the virus attachment that causes it to spread further.

"The Mydoom virus has the potential to become more widespread than all of the other big virus outbreaks put together," said Christopher Faulkner, chief executive of security firm CI Host.

"So far, the damage is minimal. But the pre-eminent danger is that one virus strain has a keylogger."

Faulkner said it is possible that one strain of Mydoom contained a so-called keylogger, which enables a hacker to obtain passwords for financial sites to gain access.

SCO has offered a $250 000 reward for information leading to the arrest and prosecution of Mydoom's creators.

Symantec's Ruckman said the infection rate appeared to be slowing as networks step up protection.

"We've seen it peak as of yesterday, and the rate we're seeing coming in has dropped to almost non-existent levels. ... That doesn't mean there aren't e-mails trying to get into the network, but they are being filtered out."