E-Mail This Article Print This Article Permission to Republish _____Cyber-Security_____ • Virus Overwhelms Google, 3 Other Search Engines (The Washington Post, Jul 27, 2004) • Web Worm Spreads, Slows Google Searches (washingtonpost.com, Jul 26, 2004) • Report Faults Cyber-Security (The Washington Post, Jul 23, 2004) • More Security News _____TechNews.com_____ • Sign up for the weekly tech policy e-letter (Delivered every Monday).

By Brian Krebs
washingtonpost.com Staff Writer
Wednesday, January 28, 2004; 6:40 PM

A new version of the "Mydoom" e-mail worm that appeared on the Internet Wednesday makes it more difficult for computer users to download updated security software and instructs infected computers to attack Microsoft Corp.'s Internet homepage, security experts said.

The worm prevents victims from getting on Microsoft's Windows Update page, which hosts the company's latest software fixes and patches, as well as more than 60 other sites that contain anti-virus software. It also blocks Web site advertisements that are provided by Internet ad firm DoubleClick Inc.

Mydoom.B replaces the older version of itself on infected computers, said Tony Magallanez, a systems engineer with F-Secure Corp., an anti-virus company in San Jose, Calif. The first version punches a hole in the victim's Internet connection that allows attackers to take control of the computer or install malicious software.

Magallanez said that Mydoom.B does not require users with computers infected by the first version to click on a new attachment to activate it. Instead, Mydoom.B scans the Internet for infected computers and updates itself.

Cupertino, Calif.-based anti-virus company Symantec Corp. has witnessed a large increase in the number of computers searching for systems infected with the original worm, said Alfred Huger, the company's senior director of security response.

Huger said that it is too early to tell whether the variant will have as much impact as the first version. "It seems the author has figured out how to update his creation with ease, so we don't know what he has left in his bag of tricks."

Microsoft is conducting its own analysis of the new worm, said Christopher Budd, security program manager on Microsoft's product support services security team.

The new worm surfaced on the same day that the U.S. Department of Homeland Security announced the creation of a new, centralized system for alerting the population to online threats like worms, viruses and hackers. A Homeland Security official said the system will release an alert on Mydoom.B tonight.

The FBI is investigating the worms' origins, said spokesman Paul Bresson, who declined to offer further details.

Mydoom.B is not spreading as quickly as its predecessor, but anti-virus experts said that it might pick up speed. The first Mydoom was estimated to be in almost 10 percent of all e-mail messages on the Internet on Tuesday. It spread rapidly as computer users unwittingly clicked on attachments bearing the worm.

Ken Dunham, malicious code manager for Reston, Va.-based iDefense, said Mydoom.B might have been launched through computers infected by the original worm.

"If this is the case, Mydoom.B will likely become very prevalent in the wild in just a few short hours," Dunham said.

The first Mydoom came disguised in an e-mail that looked like it was garbled in transmission. The e-mail text urged users to click on the attachment to recover the message, but when they opened the attachment they launched the worm. The latest version uses variations on that theme, with random subject lines including "Returned mail," and "Delivery error."

The first version was programmed to use computers it infected to attack the Web site of The SCO Group Inc., a Utah-based company that claims ownership over portions of the Linux open-source operating system. SCO is pursuing legal action against IBM Corp. and other companies, asserting that Linux includes portions of the Unix operating system over which it claims copyright ownership. The open-source community disputes SCO's claims.

SCO offered a reward of $250,000 for information that leads to the arrest and conviction of the virus's authors. Microsoft is considering similar action, said spokesman Sean Sundwall. Microsoft in November offered rewards of $250,000 each for the authors of the "Sobig" and "Blaster" worms.