MyDoom Relaunches Itself with Four New Versions

Sept. 14, 2004
Security experts warned on Friday that several new versions of MyDoom have surfaced on the Internet, suggesting that worm writers are taking a stab

Security experts warned on Friday that several new versions of MyDoom have surfaced on the Internet, suggesting that worm writers are taking a stab at improving the venerable virus.

The viruses are largely alike: They are designed to spread by attaching copies of the program to e-mail messages and download additional features from compromised Web sites. Moreover, they are all difficult to clean from an infected Microsoft Windows-based PC, because they stop the system from connecting to antivirus Web sites to download updates.

The fact that several similar variations of MyDoom have been released in quick succession suggest that a more lethal version may be in the works, said Sam Curry, vice president of product management for Computer Associates International's eTrust software.

"We saw similar behavior with the Bagle virus--three or more variants of a virus...were all low, but then they were followed by a high-threat virus," he said. "We are pretty much on alert now through the weekend, and we are recommending that people be careful with e-mail."

The original MyDoom appeared in January. It spread quickly as a malicious attachment carried by spam e-mail. At the time, some antivirus vendors declared the program the worst mass-mailing computer virus to hit Internet users. It is programmed to set off data floods that target Web sites belonging to Microsoft and the SCO Group, a company that has claimed ownership of key technology in the Linux operating system.

Recent versions of the virus have renewed attacks on Microsoft, containing messages that have asked for a job in the security industry.

The inclusion of antiremoval code in the MyDoom offshoots that emerged Friday could be a sign that spammers and others in the Internet underground want to gain control of vast numbers of PCs, said Alfred Huger, senior director of security response at Symantec, an antivirus company.

"I think we are looking at someone looking to do a real-estate grab," he said. "The virus seems to be about getting new hosts and keeping them."

Another plausible theory is that the writer or writers behind the malicious program are tweaking its abilities and testing the result, Huger noted.

"It is entirely likely that (iterative development) is going on or that the source has been released to a new group of people," he said.

That could mean that a bigger Doom is on the way, he said.