dcsimg
RealTime IT News

More Gloom from MyDoom Virus

As network administrators at Google and other major search engines finished shoring up their defenses to combat the latest strain of MyDoom, the virus' secondary motive emerged: clearing a path for attacking Microsoft.com and opening up a backdoor to the user's computer.

Ken Dunham, director of malicious code at security firm iDEFENSE, released information Tuesday morning on Zindos.A, a new virus that takes advantage of the Trojan horse already found within the MyDoom.O virus. That Trojan, Zincite.A, launches Zindos.A, which then launches a Denial of Service (DoS) attack on Microsoft.com and uploads itself to random Internet-connected computers with an open TCP port 1034.

Microsoft officials encouraged computer users to download the latest anti-virus definitions from their vendors. The virus affects Windows 2000/95/98/ME/NT/Server 2003/XP operating systems.

The company issued a statement Tuesday morning:

"Microsoft began investigating reports of a new backdoor worm named 'Zindos,' which is reported to instruct infected computers to conduct a Distributed Denial of Service (DDOS) attack against the Microsoft.com domain. Microsoft has taken steps to ensure that Microsoft.com remains available to customers. The Microsoft.com network is stable and has been consistently accessible to customers."

Zindos.A can't do anything until it comes in contact with computers already altered by the MyDoom.O virus. Zincite.A is the Trojan that opens up TCP port 1034 on a user's computer and then randomly scans other Internet-connected computers for an opening in the same port.

If another computer with port 1034 open is found by the Trojan, it sends an encrypted copy of itself to that computer, where it extracts itself, conducts another random scan and launches Zindos.A, which starts the cycle anew.

Dunham said Zincite.A also performs another function that is still unknown but is "indicative of a peer-to-peer type communication between Zincite-infected computers or a backdoor Trojan horse."

He expects criminal motives, like software that collects private information like passwords, credit card information, etc.

According to Symantec, which labels this latest virus as MyDoom.M, rates the virus' potential for damage as "medium," although the company considers it "high" in distribution

As in the case of many of the MyDoom variants that have come before, the spread of the virus is attributable more to consumers than to enterprise networks, whose network administrators had anti-virus and firewall measures in place to put a stop to the proliferation of the malicious code.

"To launch MyDoom, you've got to click the attachment; it's not an auto-execute so it's a lot of gullible end users who are clicking this attachment," said Peter Firstbrook, an infrastructure analyst at research firm META Group.

He compares the variations of the MyDoom, which started at .A for the original and is now up to .O, or .M to some security firms, to an open source project. The source code to the original MyDoom virus was made available to other virus writers, Firstbrook said, who had an idea for a new virus but needed a delivery mechanism.

Firstbrook said that in talks with security experts at MessageLabs, they were still trying to find out exactly what this latest virus is still capable of doing, as there are encrypted parts of the code that make investigations difficult.

Monday morning's launch of the MyDoom.A virus caught its targets unprepared. The virus grabs the domain addresses (e.g. @ameritech.net) of contacts in the user's address book and launches a query at search engines looking for other users. It caused minor outages to Google's Web site, but the company was able to quickly restore service, officials said.

Web site performance monitor Keynote Systems said the four major search engines -- Google, Yahoo, AltaVista and Lycos -- had restored 97 percent availability by 7 p.m. EST.

Symantec has released a removal tool for those without anti-virus software. It can be found here, though it does not remove the latest Zindos.A virus.