By Ayanna Kirton, Gleaner Writer A NEW version of the MyDoom worm appears to be circulating on the Internet and might have been responsible for some disruptions to Microsoft Corporation's web site on Sunday night, February 8, and Monday morning, February 9, researchers said.
According to Dennis Fisher in an article published by www.eweek.com, when it is executed, the new variant, called MyDoom.C, or Doomjuice, begins scanning for machines listening on TCP port 3127. When it finds available PCs, it copies itself to the new machine's Windows directory under the file name 'intrenat.exe' and also creates a file named 'sync-src-1.00.tbz' in several locations.
But unlike the two previous versions of MyDoom, this third variant does not spread via e-mail, nor does it install a backdoor on infected machines or have a kill date, according to an analysis done by Ken Dunham, malicious code manager for Defense Inc., based in Virginia, in the United States (US). The worm's code is not encrypted, but it contains all of the source code for MyDoom.A.
The new worm's infection procedure may limit its spread, experts said. MyDoom.C spreads by scanning for machines that are already infected with one of the other variants of the worm. So the possibility of spreading widely in the enterprise is mitigated by the fact that most companies affected by one of the other worms likely already has cleaned up those PCs. Also, administrators can trump the new variant by blocking Port 3127 at their firewalls.
According to reports from www.zdnet.com, the worm, Doomjuice, spreads to computers that have already been infected by either the original MyDoom virus or the MyDoom.B variant, and among other actions, places several copies of the source code for MyDoom. A on a victim's computer. The author may be using the tactic to create a crowd of PC users in which to hide, or the author could be spreading the code in hopes that other virus writers will create variations on MyDoom, said Graham Cluley, senior technology consultant for antivirus company Sophos. "If he has spread his code around the Net on to innocent computers in an attempt to hide in the crowd, then he's more sneaky than the average virus writer," Cluley said in a statement.
Doomjuice is one of two opportunistic programs the other dubbed Deadhat which started spreading this week. Both viruses infect computers that have already succumbed to either of the two MyDoom viruses. Doomjuice also attempts to direct any re-infected PCs to attack Microsoft's Web site.
According to www.zdnet.com, Doomjuice's possession of the source code for the original MyDoom virus suggests that the creator of the worm is also the writer of the original virus. A word in both MyDoom viruses the name 'Andy' has already suggested to some researchers that the original MyDoom and the MyDoom.B variant were created by the same person or group.
Other antivirus researchers agree that the latest hostile program could be intended to confuse investigations into who created the viruses.
In an attempt to thwart the worm, Microsoft has provided a worm removal tool available on the company's web site. Users can check the Download Centre for the latest tool to help remove the Mydoom.A, Mydoom.B, Doomjuice.A, and Doomjuice.B worms from infected machines.
According to microsoft.com, once the tool has run-after the End-User License Agreement (EULA) is accepted-it automatically checks for infection and removes any of the targeted worms that are found. If a machine is infected with the Mydoom.B worm, the tool will also provide the user with the default version of the host's file and set the 'read-only' attribute for that file. This action will allow the user to visit previously-blocked Microsoft and antivirus web sites.
After running, the tool displays a message describing the outcome of the detection and removal process. The tool can be safely deleted after it has run. Also, the tool creates a log file named doomcln.log in the %WINDIR%\debug folder.
This tool will not:
Detect or remove any viruses
or worms other than My-doom.A, Mydoom.B, Doom-juice.A, and Doomjuice.B
Detect or remove future variants of Mydoom or Doomjuice
Prevent the machine from being re-infected with Mydoom if, for example, an infected e-mail attachment is re-executed
Detect or remove malware that exists on a system as a result of the backdoor component created by Mydoom.A or Mydoom.B (besides Doom-juice.A and Doomjuice.B).
Delete any e-mail that contains Mydoom.A or Mydoom.B
Run on any version of Windows NT 4.0
According to Microsoft, the user must be an administrator to run this tool.
So far, very few local companies appear to be affected by Mydoom. Grace, Kennedy's technology department reported that they were able to detect the worm before it did any damage to their information systems. Calls to computer repair and maintenance companies revealed that few representatives were even aware of the worm and the threat it posed was mainly because no reports had been made by local users.
