Mydoom-A, the latest massive mass-mailer to hit the Internet, had some antivirus experts scratching their heads...
because it appears to be a Mimail variant.
"We were thinking about calling it Mimail-R," said Graham Cluley, senior technology consultant with U.K.-based Sophos PLC. "But the antivirus community settled on the name Mydoom, which is not entirely clear to me [why it did that]. "
Monday was an interesting day on the worm scene. Mid-day EST Mimail-Q surfaced. It was similar to its brethren in that it phished for personal data from users masquerading as a message from Microsoft. When executed, a dialog window comes up saying the user's Microsoft Windows' license has expired. It then prompts the potential victim to plug in his personal information including credit card number.
Late in the day, Mydoom erupted and it contained some similarities to the Mimail worms. Antivirus vendor Trend Micro even called it Mimail-R. "The code appears to be written by the same person," Cluley said.
Also, Mydoom-A is set to launch a denial-of-service attack on The SCO Group's Web site on Feb. 1. Mimail variants have launched similar attacks in the past. Mimail-C and Mimail-L, for example, tried to launch denial-of-service attacks on various antispam Web sites such as the Spamhaus Project.
Recently, experts have identified the convergence of spamming and worm writing. Worms such as the Sobig family created open relays most likely to allow spammers to send their messages. The Mimail worms traveled attached to messages that were very spam-like.
Mydoom-A may owe some of its traction to the fact that it is not spam-like. The messages carrying the worm don't contain words that would trip antispam filters. It can randomly generate subject lines but it also uses benign-sounding ones like "Hi", "Hello" or "error."