RealTime IT News

Muscular 'MyDoom' Mutant Blocks Anti-Virus Sites

Less than 48 hours after the appearance of the fast-spreading W32.Novarg.A@mm (MyDoom) virus, online security experts are warning of a more dangerous variant that attempts to block access to anti-virus Web sites.

The latest MyDoom variant is also programmed to launch a distributed denial-of-service attack (DDoS) against Microsoft's home page and is being described as "worse than MyDoom.A" because it modifies the host file to block access to 65 anti-virus Web sites where end-users go for security updates.

Among sites blocked are online security specialists Sophos, F-Secure, McAfee, Symantec, Network Associates and Computer Associates.

The original virus, which is spreading at a rate of one in every 12 e-mails, is set to launch a DDoS attack against the home page of the SCO Group and is also capable of setting up a backdoor an infected system by opening TCP ports 3127 thru 3198.

The backdoor can let an attacker connect to an infected system and use it as a proxy to gain access to its network resources. In addition, the backdoor has the ability to download and execute arbitrary files, anti-virus experts have warned.

The MyDoom.B variant opens up a different TCP port and is capable of using millions of infected machines as zombies to spread itself.

"Mydoom.A will certainly catch the attention of people all around the world now that it is attacking Microsoft.com. An attack on the Microsoft.com web site could cause a significant disruption of services for users worldwide," said Ken Dunham, director of malicious code at research firm iDEFENSE.

Dunham believes computers affected by the original worm are now being used to help launch MyDoom.B, via the proxy setup supported by the worm. "If this is the case, MyDoom.B will likely become very prevalent in the wild in just a few short hours.

According the Sophos, MyDoom.B mirrors the operations of its predecessor to harvest e-mail addresses from address books and from files with the following extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL.

News of the mutant comes as anti-virus firms continue to maintain the highest possible threat levels on MyDoom. British risk assessment firm Mi2G is estimating the virus has already caused nearly $3 billion in economic damage worldwide in terms of lost business, bandwidth clogging, productivity erosion, management time reallocation and cost of recovery.

The company said the virus has already spread to more than 170 countries and is now rated as the 9th worst malware of all time. "We know that many large and small organizations as well as homes are struggling to cope with the deluge of emails originating from the A variant infections never mind the arrival of B, which shows signs of being just as vicious," said Mi2G spokesman DK Matai.

In addition to snarling network traffic and overloading e-mail servers, the effects of the virus are wide-ranging. At the time of writing, virus-scanning capabilities on Yahoo's popular e-mail service were unavailable, a likely result of MyDoom. Yahoo officials could not be reached for comment.

New York-based ISS X-Force plans to raise the AlertCon level for the virus to 3 (AlertCon 4 is the highest) this weekend, pending expected developments while Symantec rates it as the maximum Category 4.