Yet another Mydoom worm has hit. The new variant targets the Web sites of eternal whipping boy Microsoft and song-swapper foe Recording Industry Association of America.
Mydoom-F works in a way very similar to Mydoom-A -- so much so that experts think the creator of Mydoom-F used the source code of the Mydoom-A to create it. The code for Mydoom-A is widely available because Mydoom-B dropped the source code for A on victims' computers.
Mydoom-F does something different than its predecessors. The worm randomly deletes files such as Excel spreadsheets and pictures. This is the first time in recent memory that a worm has been so randomly destructive.
"It's not nearly as widespread as Mydoom-A, but it's of more concern to end users, as it's so destructive," said Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp.
Hypponen recommends that users turn off machines that may be infected, because the worm runs a continuous loop that deletes files. "If you leave it on overnight, then it will destroy all your files," he said.
The worm looks for files to delete when it's searching the drives on infected machines for e-mail addresses to harvest. It then sends itself to the culled addresses using its SMTP engine. Mydoom-F doesn't send messages to certain e-mail domains, including those used by government agencies and antivirus companies.
Like earlier Mydoom worms, Mydoom-F uses a variety of subject lines and sets of body text. The subject lines of messages carrying the worm are sometimes blank; sometimes they contain text such as "read it immediately" and "undeliverable message." The message says things such as "Greetings" and "Read the details."
When opened, the worm copies itself to the Windows system directory and gives itself a random file name. It also tries to shut down file processes of common antivirus products.
The worm opens up TCP port 1080 on infected machines, which can allow the worm's creator to communicate with machines. It also opens of a range of ports, from 3000 to 5000.
Mydoom-F also does a distributed denial-of-service attack on www.microsoft.com and www.riaa.com if the system clock is between the 17th and 22nd of the month. However, Mydoom-F doesn't seem to have spread enough to perform an attack serious enough to affect Microsoft or the RIAA, Hypponen said.
In other malicious code news, some companies are seeing Netsky-B, which first surfaced last week, pick up some speed. "I think it shows that some people are not keeping their antivirus software up to date," said Graham Cluley, senior technology consultant with U.K.-based Sophos PLC.
Cluley downplayed reports of a new ICQ IM worm, called Bizex. The worm uses ICQ to entice users to a Web site that exploits a vulnerability in Internet Explorer to drop a Trojan on targeted machines. "The Web site has been taken down, so we don't expect to see any more machines infected by it," he said.