MyDoom variant starting to spread

The first variant of the virulent MyDoom worm has been discovered, just 48 hours after the worm first appeared in the wild.

The original version, W32/MyDoom.a, also known as Norvag, has since its discovery on Monday become one of the fastest spreading e-mail worms ever. It installs a back door on infected computers and is set to launch a denial-of-service attack against the Web site of SCO Group Inc. of Linden, Utah. The company confirmed that it is already experiencing a distributed denial-of-service attack.

The new version, MyDoom.b, appears to target the Microsoft Corp. Web site, also on Sunday, and carries a few more tricks with it.

"This new variant is worse than MyDoom.a," said Ken Dunham, director of malicious code for iDefense Inc. of Reston, Va. "It modifies the host's file to block access to antivirus Web sites and is configured differently."

MyDoom.b blocks access to 65 Web sites, most of them antivirus vendors.

Although Internet Security Systems Inc. of Atlanta has reported the new worm spreading rapidly in the wild, the Web-site blocking appears to be at least partly successful in interfering with attempts to counter it.

Network Associates Inc. of Santa Clara, Calif., is on the list of blocked sites.

"We're still having trouble confirming it is in the wild," said Jimmy Kuo, McAfee research fellow with Network Associates. The phrase "in the wild" refers to code that is spreading from computer to computer, as opposed to malicious code that exists in a lab setting.

McAfee has received complaints from customers, "but we aren't getting any submissions" of the malicious code from them.

The company has a copy of the code submitted by an antivirus worker in Europe, "and we don't know how he got hold of it," Kuo said.

The original version of MyDoom has proved so troublesome that SCO Group has offered a reward of up to $250,000 for information leading to the arrest and conviction of the worm's author.

SCO is working with the Secret Service and the FBI. People with information should contact their local FBI office.

MyDoom appears to be motivated, at least in part, by anger toward SCO, which has claimed copyright to some parts of Linux, an open-source operating system. SCO's suit against IBM Corp. has generated a number of assaults by hackers against the organization.

Several security and antivirus experts have said that the new variant could be spreading via computers already infected by the original version. The back door placed on those computers could allow the machines to be used as relays for infected e-mails.

"If this is the case, MyDoom.b will likely become very prevalent in the wild in just a few short hours," Dunham said. "This does not mean that millions of computers are infected, but that millions of e-mails harboring the worm are in the wild."

Whether these e-mails infect new machines depends on whether users open the executable attachment carrying the infection.

William Jackson writes for Government Computer News magazine.