Another MyDoom Variant Targets Already-Infected Machines

Days after an analyst warned businesses to purge their systems of the original MyDoom worm, confirmation of the advice came Monday with the arrival of another variant. This one targets already-infected machines, conducts yet another denial-of-service attack on Microsoft.com--and unlike its predecessors, has no shut-off date.

Security intelligence firm iDefense first captured MyDoom.c--also known as "SyncZ" and "Doomjuice"--early Monday, said Ken Dunham, the company's director of malicious code research. The new variation, the second such copycat, spreads by scanning for computers on a network which are listening on TCP port 3127, a port opened by the original MyDoom.

When it finds an infected computer--worldwide estimates range as high as half a million machines -- MyDoom.c uploads a copy of itself to the computer to re-infect the PC with a new, more-persistent version.

"Early analysis of MyDoom.c indicates that this last variant is a very aggressive denial-of-service attack worm," said Dunham in an E-mail to CMP Media's TechWeb. "If so, with no kill date, this worm could cause significant problems for denial-of-service targets over the next few months."

MyDoom.c targets Microsoft.com, said Dunham, who noted that Microsoft's host name is embedded in the worm's code. If the date is between the first and the 11th of the month, MyDoom.c attacks Microsoft.com with a single GET command over Port 80, then waits at various intervals before repeating. If the date is the 12th of later, however, it continually attacks Microsoft's Web site.

"Microsoft.com will likely be hit with an increased number of GET requests today," said Dunham, "with many more on the 12th and following. This correlates to the kill date for MyDoom.a, which attempted to kill itself on the 12th."

Mydoom.c differs from its predecessors in that it doesn't sport an automatic self-termination date. The original MyDoom--now typically tagged as MyDoom.a--included a Feb. 12, 2004 "kill date."

Nor does MyDoom.c spread through methods used by MyDoom.a or the first variant, MyDoom.b: it doesn't rely on either E-mail or the Kazaa file-sharing network to propagate; instead, it constantly scans for already-infected computers.

The one glimmer in MyDoom.c is that it lacks a backdoor component, which MyDoom.a and b used to sneak into compromised machines. Such backdoors are used by attackers to install other malicious code to MyDoom-infected computers, often with the idea of using them as proxies to deliver spam or conduct additional denial-of-service attacks.

MyDoom.c is dangerous, said Dunham, because of its sly nature--it doesn't arrive as an E-mail attachment, a tactic that can be defeated simply by not opening the file--and the large numbers of MyDoom-infected computers. "It has the potential of spreading to 500,000 or more computers easily in the first week," he said.

Last week, Gartner analyst Martin Reynolds recommended that businesses and consumers immediately take steps to cleanse their computers of all evidence of MyDoom. "The threat will not end until the MyDoom executable has been removed from all infected PCs," he said in a statement.

MyDoom's infection vector is similar to that used by the Blaster worm, which also avoided E-mail as a propagation technique and instead directly attacked vulnerable systems by scanning ports and copying itself to vulnerable machines.

MyDoom.c can affect systems running Windows 95, Windows Me, Windows 2000, Windows NT, Windows XP, and Windows Server 2003.