The MyDoom variant that joined the original virus in wreaking havoc on the Internet last week contains a cryptic message in which the author appears to apologize for the malicious code, security experts say.
The creator of what anti-virus experts say is the fastest spreading virus ever on the Internet signed MyDoom and MyDoom.B with "andy," and left the following message in the latter version: "I'm just doing my job, nothing personal, sorry."
"Our interpretation is that he's apologizing to the general public," Jimmy Kuo, research fellow at anti-virus software maker Network Associates Technology Inc., said Friday. "Our guess is that someone is paying him to write this thing."
Both MyDoom versions install a "back door" in infected PCs, enabling hackers to commandeer the machines to send spam, launch denial of service attacks, or perform other nefarious acts.
Some experts, however, doubted the sincerity of the apology. Many virus writers leave cryptic messages in their code to tease investigating authorities and to pat themselves on the back for their handiwork.
"If he's really sorry, then why did he release it," said Michele Morelock, technical support leader at anti-virus software maker Sophos Inc. "I would imagine it's much more tongue-in-cheek than saying I'm really sorry for releasing it."
The MyDoom virus launched a denial-of-service attack early Sunday that crippled SCO Group's Web site with hundreds of thousands of requests, an SCO spokesman said. The attack is programmed to continue on the company's Web site until Feb. 12, according to messages left inside the virus' code.
But the spokesman said SCO will unveil a contingency plan Monday for customers to access the site. He declined to discuss those plans, citing hackers.
MyDoom.B also prevents infected computers from accessing the Web sites of Microsoft and many anti-virus software makers, making it difficult for the owner of an infected machine to get help.
Microsoft and SCO have each offered a reward of $250,000 for the arrest and conviction of the MyDoom author. Both companies are also assisting in investigations by the FBI, the U.S. Secret Service and Interpol, an international police organization.
Postini Inc., a security company that cleanses E-mail before it reaches corporate networks, said Friday it had intercepted more than 12.5 million copies of MyDoom and its variant since the original virus was launched last Monday. In the first 24 hours of the attack, Postini intercepted 3.5 million copies of the virus. On Friday, the company reported an infection rate of 1 in 24 E-mails.
Based on its own customer submissions, security vendor Symantec Corp. said MyDoom was spreading on Friday at a rate of 30% to 40% less than its peak earlier in the week. MyDoom.B wasn't even on the company's list of top 5 viruses.
Nevertheless, Symantec expects the viruses to continue be a threat for months. "These viruses tend to stick around for months and months," said Alfred Huger, Symantec's senior director of engineering. "The Internet is a very big place."