Zindos capitalizes on MyDoom.O infections

Antivirus companies issued warnings and software updates on Tuesday for a new Internet worm, dubbed Zindos, that infects machines already compromised by the MyDoom.O worm, which appeared on Monday, and launches an attack on the Microsoft Corp. Web site.

Zindos.A takes advantage of an open back door in Windows machines that contracted the MyDoom.O worm. While the worm has not knocked Microsoft's Web site offline and is not considered a serious threat by most antivirus vendors, the ease with which it spread raises troubling questions about the ability of virus authors to control and plant malicious programs on machines infected by their creations, said Graham Cluley, senior technology consultant at antivirus company Sophos PLC.

The Zindos worm spreads through TCP (Transmission Control Protocol) port 1034, which was opened by a Trojan horse program called Zincite that MyDoom.O deposited on Windows machines it infected, according to antivirus company Symantec Corp.

MyDoom.O, referred to by some antivirus companies as MyDoom.M, appeared on Monday and is the 15th variant of the original MyDoom worm, which ravaged the Internet in January.

Zindos can infect Windows machines without any interaction from the computer user, modifying the configuration of Windows so that the worm is started along with the Windows operating system. Once installed, Zindos begins searching for other MyDoom-infected machines to send copies of itself to, Symantec said.

Zindos has not infected many of Sophos' corporate customers, which were also spared the worst of MyDoom.O. However, the worm may be causing more problems among home users with broadband Internet connections who lack firewall or antivirus software, Cluley said.

Sophos experts believe that the MyDoom author created Zindos and that the follow-on infection may have been planned all along, Cluley said.

"There are similarities in the code," he said. "And, the way MyDoom opened the back door on computers, other viruses would have to know the right password to be able to use it -- it's like knowing the right knock on the door to get into the private casino."

The MyDoom author has shown hostility to Microsoft in the past, Cluley observed. MyDoom.B, the worm's second version, also contained a preprogrammed denial of service attack against the Redmond, Washington, software maker.

The Zindos worm also indicates the thriving interest among virus writers in building armies of compromised computers, or 'bots, which can be used to launch attacks or sold to others for spam distribution or other nefarious purposes, Cluley said.

"Owning a large network of zombie computers is a very powerful and rather valuable resource to have," he said.

Antivirus companies advised customers to update their antivirus software to obtain signatures that can spot Zindos, but only customers who have been hit by the latest MyDoom worm need to be concerned about this new worm, Cluley said.

Those affected by that worm should remove it from their computer and install antivirus software and a firewall to keep from being victimized by Zindos, too, he said.