Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Another MyDoom Worm Targets Already-Infected Machines

Just days after an analyst warned enterprises to purge their systems of the original MyDoom worm, confirmation of the advice came with the arrival Monday of another variant that targets already-infected machines, conducts yet another denial of service attack on, and unlike its predecessors, has no shut-off date.

Security intelligence firm iDefense first captured MyDoom.c -- aka "SyncZ" and "Doomjuice" -- early Monday, said Ken Dunham, the company's director of malicious code research. The new variation, the second such copy-cat, spreads by scanning for computers on a network which are listening on TCP port 3127, a port opened by the original MyDoom.

When it finds an infected computer -- worldwide estimates range as high as half a million machines -- MyDoom.c uploads a copy of itself to the computer to re-infect the PC with a new, more persistent version.

"Early analysis of MyDoom.c indicates that this last variant is a very aggressive denial-of-service (DoS) attack worm," said Dunham in an e-mail to TechWeb. "If so, with no kill date, this worm could cause significant problems for DoS targets over the next few months."

MyDoom.c targets, said Dunham, who noted that the Redmond,Wash.-based developer's host name is embedded in the worm's code. If the date is between the first and the 11th of the month, MyDoom.c attacks with a single GET command over Port 80, then waits at various intervals before repeating. If the date is the 12th of later, however, it continually attacks Microsoft's Web site.

  • 1