A series of new worms spread on the Internet on Wednesday, spreading through conventional e-mail methods. The new versions have escalated their attacks and destructiveness.
On the prowl is MyDoom.F worm, which began action on Monday. It is the latest version one of most successful worms on record; earlier MyDoom variants in January launched a series of distributed denial of service attacks (DDoS) against Microsoft Corp. and The SCO Group. The new version retains its predecessors capability to perform a DDoS attack.
“What is interesting about these latest worm trends is that they are very politically motivated. More than your curious teenage hacker at work; these attacks are stemming from groups seeking to make a statement on some of todays most controversial technology issues,” said Scott Chasin, chief technology officer of MX Logic Inc., in a statement.
Beyond its DDoS target, MyDoom.F is also more destructive. A PC Magazine analysis of MyDoom.F, said the worm attempts to delete files on the system based on a probabilistic formula, adding an element of destructiveness rarely seen in such worms.
The worm also attempts to spread to file sharing users. For all these reasons, antivirus vendors are giving it a higher threat ranking than usual.
The latest threat is NetSky.C, which arrived on Wednesday. The worm is a variant of NetSky.B, which spread rapidly earlier this month, according to security vendors. It is also called Moodown.C.
According to F-Secure Corp.s analysis of the worm, the new version is compressed with a different program. It also behaves differently in several ways than its predecessor, such as searching far more files for e-mail addresses that it can use to spread itself.
The worm arrives in a ZIP file attachment to an e-mail message. The file inside the ZIP will have two file extensions, the first for an innocuous file type such as .RTF and the second for an executable file type, such as .SCR.
Once run, the work stores a copy of itself in the Windows folder, sets a registry key to load itself at startup, and searches the users files for e-mail addresses, although it does not send itself to addresses with certain strings in them, such as “FBI”. It also deletes a number of other registry keys and attempts to copy itself to folders with the string “SHAR” in their names.
Editors Note: This story was updated to to clarify the status of MyDoom.Fs DDoS target. MX Logic officials said the company was not targeted by the worm.