New Mydoom worm discovered

A new variant of the Mydoom.a (Novarg.a) worm, which has been spreading swiftly across the Internet since Monday, emerged Wednesday, according to London-based security vendor Mi2g Ltd.

The variant, Mydoom.b, has a larger payload and targets Microsoft Corp.’s Web site for a distributed denial-of-service attack on Feb. 1, instead of The SCO Group Inc.’s Web site, which was targeted by the first version, Mi2g said in a statement. Mi2g pointed to minor changes to the text padding in the malware and said it’s possible that Mydoom.b is being disseminated via infected computers turned into zombie machines by Mydoom.a, as well as the Kazaa file-sharing system.

If so, "this could turn the whole Mydoom episode into a much more adverse series of unfortunate events," Mi2g said.

No one has yet reported an infection by Mydoom.b, said David Perry, global director of education at Cupertino, Calif.-based antivirus vendor Trend Micro Inc. "If 100 people in the world had been infected, we would know," he said. "In fact, almost all of the viruses that have ever been detected never infected anybody ever. We say that there are about 77,000 known viruses, but only about 900 of them have ever infected anyone."

Even so, security companies said the emergence of another version of the worm could cause problems.

"This is an extremely unwelcome development. Mydoom.b may have just multiplied the full impact of Mydoom.a a few fold," said D.K. Matai, executive chairman of Mi2g. "We know that many large and small organizations as well as homes are struggling to cope with the deluge of e-mails originating from the ‘a’ variant infections -- never mind the arrival of ‘b,’ which shows signs of being just as vicious."

Early information indicates that the new variant is likely spreading in the wild, said Ken Dunham, director of malicious code at iDefense Inc., a security consulting company in Reston, Va.

Dunham said the Mydoom.b worm modifies the standard hosts file in a Windows folder that can block access to 65 Web sites, most of which are antivirus Web sites, in an apparent attempt to block users from downloading antivirus solutions and data.

"This new variant of Mydoom is worse than Mydoom.a," Dunham said in a statement via e-mail. "And an attack on the Microsoft.com Web site could cause a significant disruption of services for users worldwide. It’s feasible that Mydoom.a computers are now being used to help launch Mydoom.b, via the proxy setup supported by the worm. If this is the case, Mydoom.b will likely become very prevalent in the wild in just a few short hours."

Although that doesn’t mean millions of computers are actually infected, it could mean millions of e-mails harboring the worm are in the wild, Dunham said.

He said computer users should be on guard for a succession of worm attacks this year. "Undoubtedly, attackers are now mirroring the success of worms like Sobig to launch successive attacks in 2004," Dunham said.

Security vendor BitDefender in Bucharest, Romania, said Mydoom.b is only slightly different from the first virus variant.

"Still, we can expect a new wave of infections, as the author already has a base target," said Mihai Neagu, a virus researcher at BitDefender. "It seems, by the sheer amount of the first version that got sent through networks at this point, that many users will inadvertently cause a new major outbreak."

Moscow-based security software developer Kaspersky Labs has a different reading of the new variant than Mi2g. It said Mydoom.b is scheduled to launch a DoS attack between Feb. 1 and Feb. 12 on both www.sco.com and www.microsoft.com.

"Our analysts believe that Mydoom.b is probably using machines infected by the original Mydoom, which could mean as many as 600,000 units," Kaspersky Labs said in a statement via e-mail. "These infected computers may have received a command to send out copies of Mydoom.b. Therefore, the computer community may be facing a much more serious outbreak than the one caused by Mydoom.a on Jan. 27."