Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

More MyDoom Worms Expected

MyDoom, the Internet's fastest-spreading worm which first appeared two weeks ago and continues to plague Windows users worldwide, is still spreading. On Wednesday, security experts detected yet another sibling: MyDoom.d, also known as Doomjuice.b.

Like its immediate predecessor, MyDoom.c/Doomjuice -- which was discovered Monday -- the new variation scans for systems already infected with the original MyDoom or its copycat MyDoom.b, then re-infects the computer with a more persistent edition. So far, most security firms are reporting a very low number of MyDoom.b/Doomjuice.b interceptions. As of mid-morning Wednesday, for instance, Symantec had not yet received any MyDoom.d submissions from its customers, although it had tagged the worm as a "2" in its 1 through 5 severity ranking system.

Initial analysis, said Ken Dunham, the director of malicious code research for iDefense, indicates that MyDoom.d/Doomjuice.b is "nearly identical to MyDoom.a [the original edition]."

Both scan for an open TCP 3127 port -- a sign that a computer has been infected by MyDoom and not yet cleansed -- and install additional software on the machine. Both also target Microsoft's primary Web site for an aggressive denial-of-service (DoS) attack in an attempt to knock out the Redmond, Wash.-based developer's Internet presence.

The newest version of MyDoom/Doomjuice, however, boasts an even more effective DoS assault, according to security experts in the U.S. and Russia. Kaspersky Labs, based in Moscow, said Wednesday that MyDoom.d/Doomjuice.b will conduct a continual, multi-request DoS attack on in any month except January, and on all dates except those between the 8th and 12th of each month. MyDoom.c/Doomjuice, on the other hand, limits its attack to a single GET request up to and including the 12th of each month, after which it switches to a more aggressive multi-GET attack tactic.

  • 1