Microsoft is offering a $250,000 reward for the creator of the Mydoom-B worm, but the worm's brother, Mydoom-A,...
remains the greater threat.
MessageLabs Inc., the U.K.-based e-mail scanning service provider, intercepted 7.5 million copies of Mydoom-A this week, but less than 100 copies of Mydoom-B.
"In same ways, the first variant was too successful," said Natasha Staley, an information security analyst with MessageLabs. "People began to hesitate when opening attachments. They became suspicious of their e-mail."
Mydoom-A probably isn't spreading to a lot of new machines. But infected systems continue to send out copies of the worm to harvested e-mail addresses.
"Infected machines continue sending out copies in a loop," said Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp. He noted that the worm will stop working Feb. 12.
Microsoft has offered a reward for information leading to the arrest and conviction of the writer; the variant is set to launch a distributed denial-of-service attack on Microsoft's Web site on Tuesday. Both worms will launch a denial-of-service attack against the Web of the SCO Group, which is currently suing IBM for allegedly donating Unix code to the Linux kernel.
SCO may have a little more to worry about, given that Mydoom-A is set to launch its DoS attack on Sunday. If enough machines are infected, the attack could be severe.
"There will be relatively enough machines that will still be infected on Sunday to launch a pretty significant attack on SCO," said Vincent Gullotto, vice president of McAfee's Antivirus Emergency Response Team (AVERT). "Whether or not it's effective depends on what SCO does."
The attack won't likely affect anyone else but SCO, since the worm's efforts will be directed only at the company's site, Gullotto said.
The attention paid to the attack may generate even more volume for the SCO Web site. "The world will be having a look to see if the site is still up," said Graham Cluley, senior technology consultant with U.K.-based Sophos PLC.
Before people surf to SCO's site, they should run an antivirus scan on their own machines to make sure they are not infected with Mydoom-A. It's unlikely that people whose machines are infected even realize it, especially those who have DSL and cable modems. "Most people don't use up all their bandwidth normally anyway," Cluley said.
Businesses are likely protected from the worm, but home users may not be as savvy.
"I think it will be an issue for home users for quite some time," Cluley said. "Their machines will continue spewing out copies of the worm."
Users may be infected if ports 3127 through 3198 are open. Also, they can see if the file taskmon.exe, which is dropped by the worm, is in the Windows System directory. The worm also creates a few Register system keys including: HKEY_LOCAL_MACHINE=>Software=>Microsoft=>Windows=>CurrentVersion=>Run "TaskMon" = %SysDir%=>taskmon.exe .