MyDoom Virus Could be ‘Linux War’ Weapon

The SCO Group late Tuesday offered a $250,000 reward
for the arrest and conviction of the writer of a fast-spreading mass-mailing
virus that is programmed to launch a massive distributed denial-of-service
(DDoS) attack against the SCO home page.

The [email protected] (MyDoom) virus, which has emerged as an unlikely
weapon in the ongoing ‘Linux War’ between SCO and the open-source community,
is set to launch the DDoS attack against SCO on Feb. 1 and has a trigger
date to stop spreading on Feb. 12.

Lindon, Utah-based SCO has drawn the ire of open-source advocates in
recent months because of its litigation against Linux vendors IBM , Red Hat and Novell ,
claiming that some of its code was being used in implementations of the
Linux OS.

As anti-virus experts continue to maintain high threat levels on the
virus, SCO issued a statement calling for an end to the “criminal

“The perpetrator of this virus is attacking SCO, but hurting many others
at the same time. We do not
know the origins or reasons for this attack, although we have our
suspicions,” SCO said without offering details. The company said it was
working with the U.S. Secret Service and Federal Bureau of Investigation
(FBI) to determine the identity of the perpetrators.

“This one is different and much more troubling, since it harms not just
our company, but also damages the systems and productivity of a large number
of other companies and organizations around the world,” said SCO chief
executive Darl McBride.

Craig Schmugar, virus research manager at Network Associates , told the distribution of the virus was
continuing to spread rapidly late Tuesday, a full 24 hours after it was
first spotted circulating in Russia.

MessageLabs reports that the e-mail to virus ratio for MyDoom has hit
1-in-12 e-mails, surpassing the SoBig.F virus which peaked at 1-in-17
e-mails. “[We have stopped] more than 1.2 million copies of MyDoom so far
and as the U.S. comes online, we expect this number to grow considerably,”
according to a MessageLabs spokesperson.

In an advis
posted late Monday, Symantec warned that the worm is capable of
setting up a backdoor into an infected system by opening TCP ports 3127 thru
3198. “This can potentially allow an attacker to connect to the computer and
use it as a proxy to gain access to its network resources. In addition, the
backdoor has the ability to download and execute arbitrary files,” the
anti-virus firm said.

MyDoom (also known as MiMail-R) arrives as an attachment with the file
extension .bat, .cmd, .exe, .pif, .scr, or .zip. It uses a variety of
subject lines like “Hi” or “Hello” and sometimes uses technical subjects
like “Mail Transaction Failed” or “Server Report.”

If the attachment is opened, the worm installs itself to the system
folder and copies itself to the Kazaa download directory. In some cases,
MyDoom pretends to be a pirated copy of Microsoft Office and makes itself
available for download on the file-sharing network.

According to Sophos security analyst Chris Belthoff, the MyDoom virus
writer has embraced the use of .ZIP attachments to circumvent gateway
filtering. Because .ZIP files are normally used to send large files within
the enterprise, it’s easier to get a .ZIP attachment into an in-box, he

Belthoff said the latest virus were also using visual aids to trick users
into opening the attachment. In this case, MyDoom appears in most mail
clients with an icon resembling a text file attachment. “The message is
fairly innocuous and the ‘from’ addresses have all been spoofed but this one
is spreading fast because of the way it employs new tricks.

“This is unlike many other mass-mailing worms we have seen in the past,
because it does not try to seduce users into opening the attachment by
offering sexy pictures of celebrities or private messages.”

News Around the Web