A new variant of the MyDoom Internet worm contains some puzzling add-ins: a photo that bears a likeness of Sven Jaschan, whom police in Berlin last week charged with computer sabotage after he admitted to authoring the Sasser worm, and a high-level description of how it does what it does.
The variant, which is being called MyDoom.AA by Computer Associates International Inc. and MyDoom.Y by F-Secure Corp. and McAfee Inc., among other names, packs in its payload a description from the author on how the virus was programmed, what its supposed to do and how it retrieves e-mail addresses from, for example, Microsoft Corp.s Outlook address book.
Thats nothing new, though, since thats a typical characteristic of MyDoom variants, according to Sam Curry, vice president of eTrust security management at Computer Associates, in Islandia, N.Y.
“There are remote-control Trojans,” Curry said. “When installed, it gives a hacker who knows its there control of the system. Most of these programs contain read-mes and text files on how to use them. Its not unusual for the MyDoom series. It happens all the time.”
The one thing thats unique in the how-to file is the fact that its a “high-level summary,” according to Craig Schmugar, a virus research manager with McAfee Inc.s AVERT (Anti-Virus and Vulnerability Emergency Response Team), in Beaverton, Ore.
“For MyDoom [variants] specifically, I cant think of another that created a text file that outlined what [the worm] was trying to do,” he said. “Its not uncommon for virus authors who are sending stuff directly to anti-virus companies to include a description of what theyre doing,” but for such a description to go out in an infectious payload is unusual, he said.
The inclusion of this kind of self-referential instruction set might just be a ploy to get attention, Schmugar said. “You might infer by them doing this theyre making it easier for people to describe that variant,” he said.
“Perhaps in the authors eyes theyre hoping their variant will get more attention, more press and more descriptions written about it, which is kind of whats happening.”
Curry said the worm is spreading slowly in the labs, which is puzzling, given that it has all of the elements to make it a fast and harmful pest. MyDoom.AA has the potential to spread rapidly in a number of ways, including via Kazaa file-sharing or via ICQ instant messaging.
MyDoom.AA contains a remote-controlled payload it installs along with the photo of Jaschan on infected systems. Anybody who knows the worm is there can remotely connect to the infected computer, thus allowing an intruder to effectively take control of the system as if he or she were logged in and sitting at the keyboard, Curry said.
CA has been watching MyDoom variants since last week, Curry said. On Friday, researchers discovered and tracked four new variants.
Computers running heuristics behavioral analysis, which is a default for security products such as that from CA, are immune to the latest variant. Users and enterprises must keep their anti-virus software up to date, however, as opposed to assuming theyre safe merely because theyre running heuristics, Curry said.
“On principle, I must insist, most people should regularly be up-to-date,” he said. “Its always a good habit. Virus writers can find a way around heuristics.”
As far as the photo goes, Curry described it as “ironic,” given that Jasachan is suspected of authoring the Netsky and Sasser viruses.
Jaschan in May told authorities he had created the Netsky virus in order to automatically remove two other viruses from infected systems: MyDoom and Bagle. After creating several Netsky variations, he went on to create Sasser, he told authorities.