This weekend, millions of Americans will be trying hard to forget the horror of the terrorist attacks that took place exactly three years ago. But an individual or a group of virus writers may be attempting to maximize their notoriety, by unleashing a dangerous version of the Mydoom virus on or near the anniversary of 9/11.
Samples of four new variants of Mydoom, a self-propagating, mass-mailing worm, have been received by the Virus Information Center at Computer Associates International Inc., within the past 26 hours.
Taken individually, each of the new variants is fairly insignificant, said Sam Curry, vice president of eTrust Security Management at Computer Associates.
But the variants, Mydoom-U, Mydoom-V, Mydoom-W, and Mydoom-X, appeared on the Internet in such rapid succession that Curry believes they may the prelude to a major attack.
The variants may have been released as a prelude to a more virulent Mydoom-Z, or Mydoom-AA in time for 9/11, said Curry.
"We wouldn't have flagged this were it not for the rapid release of these multiple variants just prior to 9/11," said Curry.
Virus writers, like terrorists, are believed to place great significance on the anniversaries of their previous attacks. Virus writers have also engaged in races toward more dangerous *-Z or *-AA versions of e-mail worms, as they did earlier this year with the worms Bagle and Netsky, said Curry.
Later versions of many worms track port activity on the systems they infect and make it possible to control those systems remotely. Infected systems can also launch distributed denial-of-service attacks at specific targets.
But in this case, a sole hacker, or his group, may simply be engaging in a perverse attempt to use this weekend's hallowed date to land a job in the information security business.
"This could easily be a halfhearted attempt by someone to get their resume out," said Curry. "But we are encouraging people to be extra careful about the e-mail they open this weekend."
However, a malicious and widespread Mydoom attack this weekend is unlikely, said Hal Pomeranz, a security consultant in Eugene, Ore., and a senior faculty member for the SANS Institute.
He said an attacker with a virulent strain of any worm would be too tempted to release their virus immediately, to avoid being scooped by a competing hacker's own version of the same virus.
"I honestly don't get the sense there's a major ramp-upon the part of the bad guys toward 9/11," said Pomeranz. "But there is always the chance we can wake up to a surprise."