The MyDoom virus, which has infected hundreds of thousands of systems worldwide, is wired to continue to attack SCO Group through Feb. 12. A second variant, MyDoom.B, is scheduled to launch a similar attack against Microsoft on Tuesday. Both SCO and Microsoft last week offered a $250,000 bounty for information that leads to the arrest and conviction of the author, or authors, of the MyDoom variants.
Internet performance-monitoring company Keynote reported that availability to the primary SCO Web site was sporadic through much of Saturday, as the local time of MyDoom-infected computers from around the world began to switch to Sunday, Feb. 1, the date MyDoom was designed to begin the distributed denial-of-service attack. By 9 p.m. EST Saturday, availability to www.sco.com had dropped to near zero, Keynote reported in a statement. Around 4 a.m., the SCO site was brought back online, but the flow of attack traffic to the site made the home page inaccessible, Keynote said.
"We started seeing increased traffic as we rolled into Saturday and we saw an increased amount of traffic that eventually brought our site down," an SCO spokesman says. "We plan on staying one step ahead of those interested in taking our site offline."
So does Microsoft, though security experts say it may not be hit as hard as SCO.
Microsoft wouldn't go into detail about how it's working to mitigate the potential denial-of-service attack, saying it doesn't want to tip off its strategy to the virus writers and thereby let them develop a new variant that would bypass any steps the software maker takes to sidestep the MyDoom attack.
"We are doing everything we can to ensure that Microsoft properties remain fully available to our customers," the company said in a statement.
MyDoom spreads through peer-to-peer networks and by sending E-mails with random subject headings, such as "Hello." Its E-mail attachments come with several file names, including readme.zip and text.zip. The E-mails generated by MyDoom often have the subject line of "Mail transaction failed. Partial message is available" or "Error." It's only activated when a recipient of an infected E-mail message clicks on the attachment.
The virus then grabs E-mail addressed from infected systems as it scours .wab, .adb, tbb, .dbx, .asp, .php, .sht, and .htm files for E-mail addresses to send itself to.
The variant poised to strike Microsoft hasn't spread as successfully as the first version, says Stephen Trilling, director of research at Symantec. Trilling says the security software vendor has received few reports of MyDoom.B infections from its customers, while reports of the original MyDoom.A peaked at about 150 submissions per hour last week. New infections of MyDoom.A are still considerably high, with 40 to 60 an hour being reported to Symantec.
"MyDoom.B is nowhere near as successful as the first version," Trilling says.
That news may bode well for Microsoft and its customers as system clocks around the world began to reach Feb. 3 on Monday afternoon.
Security firms estimate that MyDoom.A has caused tens of millions of dollars in lost productivity and cleanup costs. Secure E-mail services provider MessageLabs reported Monday that it had intercepted nearly 17 million infected E-mails since early last week when the virus first appeared. The first infection the company stopped originated in the Russian Federation; since then, MessageLabs says, the virus has been intercepted in at least 214 countries.