Dangerous Variant Of MyDoom Appears

The first copycat of the widespread Mydoom worm appeared Wednesday on the Internet, and some analysts are warning it may be even more dangerous than the original.Dubbed Mydoom.b by most security firms, the variant strongly resembles the Mydoom, now tagged as Mydoom.a, but adds some new disturbing traits.

Some of the subject lines used by Mydoom.b depart from the original, including new headings of 'Delivery error' and 'Returned mail,' both which try to trick users into believing that the message is legit and can safely be opened.

Another change in Mydoom.b is the addition of microsoft.com as a target for a February 3 denial-of-service (DoS) attack. Mydoom.a specified sco.com as the target for a February 1 DoS assault by compromised machines; Mydoom.b has both sites and the associated dates embedded in its code.

Most notable, and most disturbing, however, is that Mydoom.b prevents infected users from accessing anti-virus and other computer support sites.

The worm modifies the host file on the compromised system so that 65 Web sites resolve to the IP address of 0.0.0.0, making them inaccessible.The list of affected sites include major names in the anti-virus and security trade, including Symantec, McAfee, F-Secure, Sophos, Network Associates, and Kaspersky Labs. Microsoft's Office Update and Windows Update, as well as other Microsoft download locations, are also on the list.

That makes it much more dangerous than its predecessor, said Ken Dunham, the malicious code director for security firm iDefense.

"This new variant is worse than Mydoom.a," he said, because the lack of access to security and anti-virus sites will make it impossible for many users, particularly consumers, to obtain updates to protect or clean their systems. "This will result in a longer lifespan for Mydoom.b," he said.

Dunham, along with other security experts, suspect that Mydoom.b is being launched from computers already infected with the original Mydoom.a. "If this is the case," said Dunham, "Mydoom.b will likely become very prevalent in just a few hours."

Moscow-based Kaspersky Labs agreed. "Our analysts believe that Mydoom.b is probably using machines infected by the original Mydoom," said Kaspersky spokesman Denis Zenkin in an e-mailed statement. "The computer community may be facing a much more serious outbreak than the one caused by Mydoom.a yesterday."Anti-virus firms are racing to combat Mydoom.b with updated virus definition files, but not all companies have yet posted alerts for the variant, nor updates that can defend and disinfect.