The rapid spread of MyDoom.A was a pretty scary thing to witness. I knew that I had immediately recognized it as a worm when it showed up here, but still its scary when so many people out there get infected. Then MyDoom.B came out and I really got concerned, partly because of its evil practice of locking users out of accessing security sites from which they might disinfect themselves.
MyDoom.B seemed like a slam-dunk to spread far and fast. Apart from the usual mass-mailing and KaZaA-based propagation methods, it also searches the Internet for systems with the MyDoom.A backdoor installed (and it uses a really weird method of scanning for those systems, skipping many of them for no apparent reason). When it finds a system running the backdoor, it sends it a copy of MyDoom.B for installation.
In the abstract, this should be the right way to do it, and youd think that with an ecosystem so fertile with MyDoom.A infestations, that B would be all over the place. Such is emphatically not the case. I searched the analyses of the MyDoom.B virus on the Web sites of several security firms. I found little reason for fear; the technical descriptions are all pretty scary, but almost all of those sites with an assessment of how far it has spread classify that spread as "little or none." Heres a handy list for your own inspection:
Links to Security Firms MyDoom.B Analyses and Remarks on Spread in Wild:
- Symantec: rates it "Low (0-49);" separately, Symantec Security Response is seeing less than a dozen submission of the B variant
- Trend Micro: found 1 copy in the wild
- McAfee: "Low-Profiled"
- Kaspersky: No comment on distribution
- Sophos: "At the time of writing, Sophos has received no reports from users affected by this worm."
- Panda Software: Distribution: Low
- Norman Antivirus: LOW RISK
- Command Software: No comment on distribution
- F-Secure: LEVEL 2 ALERT ("New virus causing large infections. Might be local to a specific region.")
- TrueSecure: No comment on distribution
- Aladdin Knowledge Systems: Threat Level: Low
The only company that rates it anything above nothing is F-Secure, a company thats done a bit of scaremongering in the past. But "LEVEL 2" indicates less than it may seem, since the next lowest level of severity, LEVEL 3, describes a virus not necessarily in the wild. In other words, their levels and descriptions are not sufficiently granular.