A new variant of the rapidly-spreading Mydoom.a worm emerged yesterday according to London's Mi2g security company.
This variant targets Microsoft's Web site for a distributed denial-of-service attack on February 1, instead of The SCO Group's Web site, which was targeted by the first version, Mi2g said in a statement. Mi2g pointed to minor changes to the text padding in the malware and said it's possible that Mydoom.b is being disseminated via infected computers turned into zombie machines by Mydoom.a, as well as the Kazaa file-sharing system.
If so, "this could turn the whole Mydoom episode into a much more adverse series of unfortunate events," Mi2g said.
Security companies said the emergence of another version of the worm could cause problems: "This is an extremely unwelcome development. Mydoom.b may have just multiplied the full impact of Mydoom.a a few fold," said D.K. Matai, executive chairman of Mi2g. "We know that many large and small organizations as well as homes are struggling to cope with the deluge of emails originating from the 'a' variant infections – never mind the arrival of 'b,' which shows signs of being just as vicious."
Early information indicates that the new variant is likely spreading in the wild, said Ken Dunham, director of malicious code at iDefense, a security consulting company in Reston, Va.
Dunham said the Mydoom.b worm modifies the standard hosts file in a Windows folder that can block access to 65 Web sites, most of which are antivirus Web sites, in an apparent attempt to block users from downloading antivirus solutions and data.
"This new variant of Mydoom is worse than Mydoom.a," Dunham said in a statement via email. "And an attack on the Microsoft.com Web site could cause a significant disruption of services for users worldwide. It's feasible that Mydoom.a computers are now being used to help launch Mydoom.b, via the proxy setup supported by the worm. If this is the case, Mydoom.b will likely become very prevalent in the wild in just a few short hours."
Although that doesn't mean millions of computers are actually infected, it could mean millions of emails harbouring the worm are in the wild, Dunham said.
He said computer users should be on guard for a succession of worm attacks this year. "Undoubtedly, attackers are now mirroring the success of worms like Sobig to launch successive attacks in 2004," Dunham said.
Moscow-based security software developer Kaspersky Labs has a different reading of the new variant than Mi2g. It said Mydoom.b is scheduled to launch a DoS attack between February 1 and February 12 on both www.sco.com and www.microsoft.com.
"Our analysts believe that Mydoom.b is probably using machines infected by the original Mydoom, which could mean as many as 600,000 units," Kaspersky Labs said.
"These infected computers may have received a command to send out copies of Mydoom.b. Therefore, the computer community may be facing a much more serious outbreak than the one caused by Mydoom.a on Jan. 27."