MyDoom's day passes quickly

The latest variant of the MyDoom worm, which was discovered Tuesday, peaked after around 12 hours and has already started dying out, according to antivirus companies. The new generation, known as both MyDoom.
Written by Munir Kotadia, Contributor
The latest variant of the MyDoom worm, which was discovered Tuesday, peaked after around 12 hours and has already started dying out, according to antivirus companies.

The new generation, known as both MyDoom.M and MyDoom.O, slammed four popular search engines yesterday and clogged e-mail accounts around the world. Google, Yahoo, AltaVista and Lycos all slowed to a crawl, because once the worm infects a PC, it automatically performs Web searches on those search engines.

Natasha Staley, an information security analyst at MessageLabs, said the company intercepted just 599,641 messages containing MyDoom in its first 24 hours. This is less than half the number of infected messages caught during the 24 hours of the original MyDoom attack and is likely to keep falling as the week continues.

"MyDoom slowed down overnight and picked up again this morning, but more than likely it is a case of people's bedtime patterns. I don't expect to be here tomorrow saying there has been another 600,000 interceptions. It will probably tail off slightly tomorrow and there will be more significant drops throughout the week," Stanley said.

Security experts have been warning about the consequences of another MyDoom outbreak after the original version caused massive disruption to the Internet and launched a distributed denial-of-service attack on the SCO Group that knocked the company's Web site offline for more than a month.

However, the latest variant of MyDoom does not appear to have launched a DDoS attack.

Jack Clark, a technology consultant at security specialist McAfee, said this version of MyDoom seems to be "nothing special" and is following the behavior expected from a typical mass-mailing worm--dying down after an initial surge.

"In the 24 hours it was discovered, MyDoom had a huge effect on the population. It had a really active period of about 12 hours, but is now starting to die out," Clark said.

Clark said that, unlike a Trojan horse distributed late last week disguised as suicide pictures of Osama bin Laden, this variant of MyDoom didn't make any original effort to persuade people to open its attachment.

But Symantec US warned overnight that the latest version of MyDoom could foster a "backdoor" opportunity for hackers. Like many other new worms, MyDoom leaves behind code meant to allow future attacks on infected machines. While such openings are usually closed by antivirus applications, hackers have already created a virus, which Symantec is calling W32.Zindos.A, to exploit the MyDoom backdoor, said Dee Liebenstein, a group product manager at Symantec.

The W32.Zindos.A worm has not proliferated rapidly, however, because many people have already protected themselves against MyDoom, Liebenstein said.

Symantec's security response centre concurred about the sharp decline in the rate of new submissions of MyDoom. The worm slowed from a peak of 180 submissions per hour Tuesday afternoon to only 36 submissions between 5 a.m. and 6 a.m. PDT Tuesday.

In addition, the Asia-Pacific region saw a lower-than-expected number of infections from the new variant of MyDoom, security vendors said.

John Donovan, the managing director for Symantec Australia, said that during most virus attacks, Asia-Pacific--including Japan--typically accounts for 5 percent to 10 percent of the total worldwide infections. The recent MyDoom attack, however, was "an unusual occurrence," as the share of worldwide infections in the Asia-Pacific was only 1 percent, Donovan said.

And in contrast to reports that indicated the major Internet search engines in the United States were hit by the virus, Donovan said: "Over in Asia-Pacific, we've seen no significant impact like what we've seen in the U.S."

Munir Kotadia of ZDNet UK reported from London. CNET News.com's Matt Hines contributed from Cambridge, Mass. Isabelle Chan of CNET Asia reported from Singapore.

Editorial standards