04:37 PM

MyDoom.f Spreads, Deletes Files

Unlike other variants of the worm, this one randomly eliminates files, including doucments created by Word and Excel.

MyDoom.f, discovered last Friday, continues to spread, security experts said Wednesday--but unlike other variants of the persistent worm, it can wreak havoc on the infected machine by randomly deleting files, including documents created with Microsoft Word and Excel.

"This worm is being sighted in larger numbers, suggesting that not all computers are properly protected," said Graham Cluley, senior technology consultant at Sophos.

MyDoom.f, whose payload arrives in an attached file in an E-mail message with a large number of possible subject lines--including "Read this," "Your order is being processed," and "Bug"--installs malicious code that, among other tasks, conducts denial-of-service attacks against and

The RIAA site is the Internet home of the Recording Industry Association of America, the group responsible for bringing lawsuits against illegal music file sharers. Early Tuesday, AlertSite, a Web-monitoring firm, reported that showed a significant drop in performance due to the attack; between 9 a.m. and noon Tuesday, the site was available only about 74% of the time.

"It appears that the site was affected yesterday by the traffic generated by this latest revision of MyDoom," said Ken Godskind, VP at AlertSite. By Wednesday morning, had recovered and was available approximately 92% of the time, Godskind said.

Microsoft's Web site, which has been the target of numerous denial-of-service attacks over the past several weeks thanks to MyDoom variations, wasn't affected by this latest worm's assault.

MyDoom.f, which has been rated as a medium-level threat by most anti-virus firms, takes the MyDoom motif—denial-of-service attacks, the creation of a backdoor on the infected machine for possible use as a spam proxy--and ups the ante by randomly deleting a number of file types on the compromised system.

MyDoom.f targets a variety of image files, as well as Microsoft Word documents and Excel worksheets, said security professionals. The full list of the file types targeted is: mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp.

"It deletes files with various levels of success," said Ken Dunham, the director of malicious code research at iDefense, "but it seems it manages to delete Word files about 40% of the time."

This is the first MyDoom variant that's had a direct, destructive impact on local machines infected with the worm.

Most experts believe the author of MyDoom.f is a different individual than the creator of the original worm, thanks to clues in the code, and its destructive spin. "The source code for MyDoom was planted by Doomjuice," said Dunham, "and here you go. It's not surprising that variants continue to show up."

Although anti-virus firms have updated their definition files to take MyDoom.f into account--deflecting it and destroying it when found--users not guarded by anti-virus software who think their machines may be infected can download automated removal tools from such sources as Symantec and F-Secure.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.