Gloomy forecast for MyDoom fallout

By Robert Lemos
Posted on ZDNet News: Jan 27, 2004 7:35:00 PM

The virus, also known as Novarg and Mimail.R, spread quickly across the Internet on Monday, traveling as an e-mail attachment and infecting PCs whose users opened the malicious file.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

When opened, the virus installs a stealth program on the victim's computer that opens up a software "back door." Attackers can then bypass the PC's security and turn the system into a bounce point, or proxy, for any network-based attack.

The virus has programmed infected PCs to send data to the SCO Group's Web server between Feb. 1 and Feb. 12. The SCO Group has incurred the wrath of the Linux community for its claims that important pieces of the open-source operating system are covered by SCO's Unix copyrights. IBM, Novell and other Linux backers strongly dispute the claims.

Perhaps more troubling is the fact that other online vandals could route new attacks through the infected PCs, said Alfred Huger, senior director of engineering for security software firm Symantec.

"For people that handle incident response, (the proxies) will cause problems," he said. Attackers can use the proxies to hide their real locations, making it very difficult to trace the origin of an online assault. "This is going to hang around and hound us for a long time--if Code Red is any indication, for years."

		Special report 20-year plague From the first experiments to today's epidemics, computer viruses have come a long way.

The Code Red worm infected Windows computers running Microsoft's Web server software, called Internet Information Server. While the primary infection hit in July 2001, tens of thousands of computers remain infected with the worm, which is still scanning the Internet looking for vulnerable systems to infect.

The effects of the massive spread of the MyDoom virus have already been felt.

The virulent program has flooded the Internet with e-mail messages bearing the program, doubling the time it takes most major Web sites to deliver a page. About one in every 12 messages being sent through the Internet contains the virus, said e-mail service provider MessageLabs. The previously most prevalent mass-mailing virus, called Sobig.F, only accounted for one out of every 17 e-mail messages.

 Latest computer virus runs rampant in a high-risk outbreak

"This is the most aggressive that we have seen to date," said Mark Sunner, chief technology officer for MessageLabs, which filters e-mail for corporate customers. However, Sunner believed that the infection rate of the virus had begun slowing by Tuesday afternoon. "It has had one cycle around the world, so it's likely that it's peaked." In the first 27 hours of the infection, MessageLabs quarantined more than 1.5 million messages that included the virus.

The virus affects computers running Windows versions 95, 98, ME, NT, 2000 and XP, and arrives in the user's in-box as an attachment to an e-mail message that appears to be an error response from an e-mail server.

The message sports one of several different random subject lines, such as "Mail Delivery System," "Test" or "Mail Transaction Failed." The body of the e-mail contains an executable file and a statement such as: "The message contains Unicode characters and has been sent as a binary attachment." and "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."

The Web site for SCO Group, the target of the virus, was slow to load on Monday and Tuesday, a SCO spokesperson acknowledged. The site has had intermittent problems responding to requests over the past two days, according to Internet performance measurement firm NetCraft.

SCO's Web site was knocked offline by denial-of-service attacks several times in the past year, none of which had been initiated by a virus. In the past, the company has blamed Linux sympathizers for at least one of the attacks.

The MyDoom virus also copies itself to the Kazaa download directory on PCs, on which the file-sharing program is loaded. The virus camouflages with one of seven file names: Winamp5, icq2004-final, Activation_Crack, Strip-gril-2.0bdcom_patches, RootkitXP, Officecrack and Nuke2004.

Not everyone agreed that the attack tools installed on infected systems will have a significant impact on Internet security. With the large number of PCs with poor security, MyDoom-infected computers will be a drop in the bucket, said Vincent Gullotto, vice president of antivirus research for security software company Network Associates.

"There are lots and lots of people that are out there that are compromised today," he said. "I think the mass-mailing part will have more of an impact."