Pc Users Warned Over New Mydoom Threat

[Si...]

Computer experts today alerted PC users to a powerful new version of the Mydoom virus, which has already caused an estimated $20bn (£10bn) of damage to businesses worldwide.

 

The Doomjuice, or Mydoom.C, worm was first detected yesterday. According to researchers at F-Secure Antivirus, a Finnish software company, it has already spread to "tens of thousands" of computers.

 

The virus is not spread by email, but targets Windows machines already infected with the original 'Mydoom.A' virus.

 

It works by scanning random internet addresses until it identifies computers containing a special programme, known as a backdoor, installed by Mydoom.A.

 

When Doomjuice finds a machine that is infected by Mydoom.A, it begins to download itself onto the PC.

 

According to F-Secure, the worm will infect the computer "totally automatically - the owner of the computer can be sleeping and still get Doomjuice".

 

The main aim of the virus, as was the case with its predecessor, is to attack the websites of major software companies by bombarding them with messages from thousands of infected PCs.

 

This "denial of service" attack against www.microsoft.com - one of the largest in the world - began on Sunday.

 

It is programmed to go on indefinitely in an attempt to overload the site by repeatedly reloading its front page. The website still seemed to be operational today, but a disruption in service was noted yesterday.

 

Mikko Hypponen, the director of antivirus research at F-Secure, said that Doomjuice drops the original source code of the Mydoom.A worm in an archive to several folders of infected computers.

 

"This proves to us that Doomjuice and Mydoom.A are written by the same people," he said. "The source code of Mydoom.A has not been seen circulating in the underground before."

 

The hackers could be distributing the sourcecode in an attempt to cover their tracks, he added.

 

"The authors know the police are looking for them," Mr Hypponen said. "And the best evidence against them would be the possession of the original source code of the virus.

 

"Before the Doomjuice incident, only the authors of Mydoom.A had the original source code. Now, probably tens of thousands of people have it on their hard drive without knowing it."

 

Last month, Microsoft promised a $250,000 reward to anyone who helps track down the author of the Mydoom virus.

 

F-Secure was one of the first companies to warn of the dangers of the original self-replicating Mydoom worm - also known as Novarg - which spread across the globe through spam email last week.

 

Doomjuice's ability to spread is limited because it will only attack computers infected by Mydoom, said Mr Hypponen. He added that "lots of" computers were already being cleaned up "at a quick rate".

 

However, he warned that, unlike Mydoom - which is programmed to stop spreading on February 12 - Doomjuice could run forever. "[it could run] at least until all computers everywhere infected by both worms have been cleaned up, and that could be years," he said.

 

F-Secure said that it was difficult to fully assess how destructive Doomjuice has so far been, but added that one sensor monitoring one fifth of the world's internet traffic yesterday had found 30,000 hits.