Internet security companies have discovered a third version of the MyDoom email worm circulating on the Internet.
The new version, MyDoom.C, is a modified copy of the virus that ravaged the Internet in January. Unlike its predecessor, however, the new variant does not use email or the Kazaa peer-to-peer network to spread and is not expected to make much of an impact on the Internet, said managed security services provider LURHQ Corp.
MyDoom.C both refines and tames the earlier version of the virus, known as MyDoom.A. Among other changes, the new virus fixes problems with the original MyDoom email worm, including errors in the worm's code that made it impossible for many MyDoom-infected machines to launch a programmed denial of service (DoS) attack against The SCO Group's Web site.
Gone also is the expiration date that told machines infected with the original MyDoom virus to stop their DoS attack on February 12, 2004, LURHQ said.
Also, instead of depositing a file that opens a backdoor on infected machines, the new virus distributes a compressed archive of the worm's original source code, the company said.
However, the MyDoom.C author also removed many of the most dangerous features of the original virus, including the highly efficient SMTP (Simple Mail Transfer Protocol) engine that enabled infected machines to spew out email messages containing the virus. That component made the original MyDoom worm the fastest spreading email worm in history, easily defeating Sobig-F, the previous record holder, according to antivirus software companies, the company said.
MyDoom.C seeks out and infects machines that are already infected with the original MyDoom virus by searching for machines that are listening on port 3127, a telltale sign of MyDoom infection, said security company iDefense in a security alert.
That approach will give MyDoom.C a solid base of as many as 500,000 machines, but will keep MyDoom.C from spreading much beyond the community of already-infected machines, LURHQ and iDefense said.
The MyDoom.C author also removed a Trojan horse "backdoor," but included a copy of the worm's source code, which is deposited on machines infected with the new variant, the companies said.
Unlike the first MyDoom virus, MyDoom.C takes its sights off of The SCO Group Web site, but continues an attack on Microsoft's Web site that was introduced by the MyDoom.B variant.
The new variant does not remove existing versions of the virus and can even run alongside them, said Joe Stewart, senior security researcher at LURHQ.
If started on or between February 8, 2004 and February 12, MyDoom.C-infected machines will launch randomly timed DoS attacks against Microsoft.com. Machines started after the February 12 will launch constant attacks.
An analysis of the worm's code uncovered an IP (Internet Protocol) address linked to www.ford.com, the Web page of Ford Motors. However, it is not clear whether the worm targets Ford, iDefense said.
The lack of aggressive spreading features, a staple of most email worms, and the inclusion of the MyDoom.A source code may mean that the MyDoom author is closing shop and handing off his creation to other virus writers to refine, LURHQ said.
"I don't think the Internet will shake from this one," said Ian Hameroff, senior security strategist at Computer Associates International (CA).
CA researchers actually consider the new worm to be a different threat than MyDoom.A, based on a comparison of the two worms' underlying code, and are calling the new threat "DoomJuice," Hameroff said.
The new worm doesn't have the ability to spread like either the MyDoom.A or MyDoom.B worms, but still poses some threat to Internet users, he said.
While the worm does not pose a risk to users who are not already infected with an earlier version of MyDoom, the wide distribution of the MyDoom. A source could pose a serious risk to the overall security of the Internet, Stewart said.
That uncompiled code could only have come from the MyDoom author and could be useful to less-experienced virus writers, he said.
"There's lots of stuff in there – the modified SMTP engine, the spreading algorithm, how (MyDoom.A) spreads over Kazaa, how it gets email addresses off the hard drive," he said.
Even inexperienced computer programmers could take the code, make small adjustments to it, recompile it and release their own version of MyDoom, he said.
"The thing I'm most concerned about is, with the source code being available, who's going to take it and what are they going to do with it, " Stewart said. "I think we're going to get copycats on this one."