RealTime IT News

MyDoom Virus Could be 'Linux War' Weapon

The SCO Group late Tuesday offered a $250,000 reward for the arrest and conviction of the writer of a fast-spreading mass-mailing virus that is programmed to launch a massive distributed denial-of-service (DDoS) attack against the SCO home page.

The W32.Novarg.A@mm (MyDoom) virus, which has emerged as an unlikely weapon in the ongoing 'Linux War' between SCO and the open-source community, is set to launch the DDoS attack against SCO on Feb. 1 and has a trigger date to stop spreading on Feb. 12.

Lindon, Utah-based SCO has drawn the ire of open-source advocates in recent months because of its litigation against Linux vendors IBM , Red Hat and Novell , claiming that some of its code was being used in implementations of the Linux OS.

As anti-virus experts continue to maintain high threat levels on the virus, SCO issued a statement calling for an end to the "criminal activity."

"The perpetrator of this virus is attacking SCO, but hurting many others at the same time. We do not know the origins or reasons for this attack, although we have our suspicions," SCO said without offering details. The company said it was working with the U.S. Secret Service and Federal Bureau of Investigation (FBI) to determine the identity of the perpetrators.

"This one is different and much more troubling, since it harms not just our company, but also damages the systems and productivity of a large number of other companies and organizations around the world," said SCO chief executive Darl McBride.

Craig Schmugar, virus research manager at Network Associates , told internetnews.com the distribution of the virus was continuing to spread rapidly late Tuesday, a full 24 hours after it was first spotted circulating in Russia.

MessageLabs reports that the e-mail to virus ratio for MyDoom has hit 1-in-12 e-mails, surpassing the SoBig.F virus which peaked at 1-in-17 e-mails. "[We have stopped] more than 1.2 million copies of MyDoom so far and as the U.S. comes online, we expect this number to grow considerably," according to a MessageLabs spokesperson.

In an advis ory posted late Monday, Symantec warned that the worm is capable of setting up a backdoor into an infected system by opening TCP ports 3127 thru 3198. "This can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files," the anti-virus firm said.

MyDoom (also known as MiMail-R) arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip. It uses a variety of subject lines like "Hi" or "Hello" and sometimes uses technical subjects like "Mail Transaction Failed" or "Server Report."

If the attachment is opened, the worm installs itself to the system folder and copies itself to the Kazaa download directory. In some cases, MyDoom pretends to be a pirated copy of Microsoft Office and makes itself available for download on the file-sharing network.

According to Sophos security analyst Chris Belthoff, the MyDoom virus writer has embraced the use of .ZIP attachments to circumvent gateway filtering. Because .ZIP files are normally used to send large files within the enterprise, it's easier to get a .ZIP attachment into an in-box, he said.

Belthoff said the latest virus were also using visual aids to trick users into opening the attachment. In this case, MyDoom appears in most mail clients with an icon resembling a text file attachment. "The message is fairly innocuous and the 'from' addresses have all been spoofed but this one is spreading fast because of the way it employs new tricks.

"This is unlike many other mass-mailing worms we have seen in the past, because it does not try to seduce users into opening the attachment by offering sexy pictures of celebrities or private messages."