MyDoom.C Slams Into

UPDATED: A stripped-down version of the MyDoom worm, a k a Doomjuice, on Monday spread through network backdoor and attacked Microsoft's Web site.

A new version of the MyDoom worm appears to be circulating on the Internet and may be responsible for some disruptions to Microsoft Corp.s Web site Sunday night and Monday morning, researchers said.

When its executed, the new variant, called MyDoom.C, or Doomjuice, begins scanning for machines listening on TCP port 3127. When it finds available PCs, it copies itself to the new machines Windows directory under the file name "intrenat.exe" and also creates a file named "sync-src-1.00.tbz" in several locations.

But unlike the two previous versions of MyDoom, this third variant does not spread via e-mail, nor does it install a backdoor on infected machines or have a kill date, according to an analysis done by Ken Dunham, malicious code manager for iDefense Inc., based in Reston, Va. The worms code is not encrypted, but it contains all of the source code for MyDoom.A.

The new worms infection procedure may limit its spread, experts said. MyDoom.C spreads by scanning for machines that are already infected with one of the other variants of the worm. So the possibility of spreading widely in the enterprise is mitigated by the fact that most companies affected by one of the other worms likely already has cleaned up those PCs. Also, administrators can trump the new variant by blocking Port 3127 at the firewall.


"The risk presented by Mydoom.C needs to be tempered with the fact it is easily foiled by protection available from as early as two weeks ago. The fact the worm preys on existing Mydoom infected computers is much like a flock of vultures circling around an unfortunate soul about to succumb to the elements in that it is picking through scraps," said Ian Hameroff, eTrust security strategist at Computer Associates International Inc. of Islandia, N.Y.

"A better takeaway from this low-risk threat, is that computer users cannot treat the risk from malware as an episodic situation based on a specific virus event," Hameroff continued. "Instead, they need to treat the cause, be it social engineering or outdated virus definition updates, not an individual flare-up."

However, iDefense was pessimistic on the outlook for controlling MyDoom.C. Company officials said, "Mydoom.C has the potential of spreading to 500,000 or more computers easily in the first week, hijacking Mydoom.A infected computers."

MyDoom.C does have the ability to launch a denial-of-service attack against Microsofts main Web site, which experienced some severe performance problems overnight Sunday and again Monday morning, according to data compiled by Netcraft Ltd. If the worm is started between Feb. 8 and Feb. 12, it starts a thread that sleeps for a random amount of time and then spawns 80 threads that begin requesting pages from at once. MyDoom.C does not try to attack The SCO Groups Web site, however, as the two previous versions did.

A Microsoft spokesman said Monday that any performance problems on the companys site are likely related to countermeasures the company took to evade the MyDoom.B DDoS attack and not an attack from machines infected with the latest variant."

Additional reporting by Security Topic Center Editor Larry Seltzer

Editors Note: This story was updated to include new information on the action of the worm and comments from security experts.

Discuss This in the eWEEK Forum