MyDoom.B Is For Bust
It looked like a slam-dunk. MyDoom.A spread around the Internet like a cold through day care, and MyDoom.B was supposed to find those systems and upgrade them. Why is MyDoom.B a flop? Happy days in Redmond.The rapid spread of MyDoom.A was a pretty scary thing to witness. I knew that I had immediately recognized it as a worm when it showed up here, but still its scary when so many people out there get infected. Then MyDoom.B came out and I really got concerned, partly because of its evil practice of locking users out of accessing security sites from which they might disinfect themselves. MyDoom.B seemed like a slam-dunk to spread far and fast. Apart from the usual mass-mailing and KaZaA-based propagation methods, it also searches the Internet for systems with the MyDoom.A backdoor installed (and it uses a really weird method of scanning for those systems, skipping many of them for no apparent reason). When it finds a system running the backdoor, it sends it a copy of MyDoom.B for installation.
In the abstract, this should be the right way to do it, and youd think that with an ecosystem so fertile with MyDoom.A infestations, that B would be all over the place. Such is emphatically not the case. I searched the analyses of the MyDoom.B virus on the Web sites of several security firms. I found little reason for fear; the technical descriptions are all pretty scary, but almost all of those sites with an assessment of how far it has spread classify that spread as "little or none." Heres a handy list for your own inspection:
- Links to Security Firms MyDoom.B Analyses and Remarks on Spread in Wild:
- Symantec: rates it "Low (0-49);" separately, Symantec Security Response is seeing less than a dozen submission of the B variant
- Trend Micro: found 1 copy in the wild
- McAfee: "Low-Profiled"
- Kaspersky: No comment on distribution
- Sophos: "At the time of writing, Sophos has received no reports from users affected by this worm."
- Panda Software: Distribution: Low
- Norman Antivirus: LOW RISK
- Command Software: No comment on distribution
- F-Secure: LEVEL 2 ALERT ("New virus causing large infections. Might be local to a specific region.")
- TrueSecure: No comment on distribution
- Aladdin Knowledge Systems: Threat Level: Low