Two New MyDoom Variants Launch Attacks - 11 Feb 2004

Two new electronic worms emerged yesterday, both of which seek toexploit Windows-based PCs that the original MyDoom email virus havealready infected. Like the weakened MyDoom.B email virus variant,however, both of the new worms are categorized as low-risk by securityresearchers, who note that the worms have compromised few users. Andunlike MyDoom.A and MyDoom.B, instead of spreading through emailattachments the new attacks prowl the Internet looking forMyDoom-compromised computers that haven't yet been inoculated.

The first worm, Doomjuice, attempts to seize infected computers anduse them for Distributed Denial of Service (DDoS) attacks onMicrosoft's Web site. The second worm, Deadhat, removes the MyDoomvirus and waits for further instructions, presumably from yet anotherworm; Deadhat got its start on the Soulseek file-sharing system. Theantivirus experts at Network Associates note that although Doomjuicehas had a bit of success, largely because some people didn't realizethey were infected with MyDoom, neither worm is expected to make muchof an impact.

On the other hand, Doomjuice and Deadhat prove that earlierthinking about electronic-attack flare-ups might be out-of-date."Computer users cannot treat the risk from malware as an episodicsituation based on a specific virus event," Ian Hameroff, a securitystrategist at Computer Associates, said. "Instead, they need to treatthe cause, be it social engineering or outdated virus definitionupdates, not an individual flare-up." Microsoft denied reports thatDeadhat was responsible for intermittent problems on its Web siteyesterday