[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 30 January, 2004, 12:49 GMT
Mydoom creator hunt intensifies
Woman using computer
The Mydoom virus tries to trick people into clicking on it
The hunt for whoever was behind the Mydoom e-mail worm, and its sibling Mydoom.B, has intensified with a $250,000 reward offered by Microsoft.

But analysts warned the longer it took to collect clues, the harder it would be to identify and find the author.

A Microsoft spokesperson said its goal in offering the bounty was to pressurise the virus writing community to "rat out" whoever was responsible.

Experts said Mydoom.A and B made up to 30% of all e-mail traffic at its peak.

It has beaten all previously records for virus infections, according to security experts.

'Ratting out'

Security firm MessageLabs told BBC News Online it had now stopped about 8.1 million copies of Mydoom since it was unleashed onto the net on Monday.

"In some cases, we have been intercepting around 130,000 copies per hour, but it has been reasonably stable. The volume goes up when the US comes online," explained Paul Wood, chief information security analyst at MessageLabs.

From: random e-mail address
To: address of the recipient
Subject: random words
Message body: several different mail error messages, such as: Mail transaction failed. Partial message is available
Attachment (with a textfile icon): random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension
When a user clicks on the attachment, the worm will start Notepad, filled with random characters

He said the US was still experiencing the biggest problem with the worm, with 35% of infected e-mails coming from there.

Microsoft has joined SCO, the original target of Mydoom.A, in offering a $250,000 bounty for information leading to the arrest and conviction of those responsible for the Mydoom.B variant of the worm.

Microsoft said it was prepared for the attack, due to hit the main Microsoft website on 1 February, but was worried about the inconvenience it could cause to users.

"The goal here is to put the pressure on those in the virus writing community to really rat out their friends to stop them doing this," Microsoft's Sean Sundall explained to the BBC.

"This reward is just for the B variant, and the reason we did that is because we see that variant as particularly hideous."

The original variant, Mydoom.A, is also scheduled to target SCO's website on 1 February until 12 February.

SCO has been involved in a legal row with the open-source community, after claiming versions of the Linux operating system used code it said it owned.

Bragging to mates

Microsoft defended the relatively low bounty, saying it had put a lot of thought into the amount.

"We worked with law enforcement on the amount, and really they are the experts on what amount triggers what kind of behaviour, and what is too much," Mr Sundall said.

Install an anti-virus program.
Keep it up to date
Get the latest patches and updates for your operating system
Never automatically open e-mail attachments
Download or purchase software from trusted, reputable sources
Make backups of important files

But MessageLabs' Mr Wood said he suspected the bounty would not necessarily have an effect.

"The kind of lessons we have learned from Sobig and the investigation is that those investigating will know that they have a limited time period to get as many clues a possible," he said.

"But when people start bragging about their exploits they expose themselves."

He said law enforcement agencies involved in the investigation would be closely cooperating at an international level.

They would be scrutinising any clues in the worm's code to check if the author had a certain style similar to any previous viruses.

Backdoor access

Mydoom, also known as Novarg or Shimgapi, arrives as an e-mail attachment which sends itself out to other addresses if opened, and may allow unauthorised access to computers.

It only affects computers using Microsoft Windows and also spreads through file-sharing networks, like Kazaa, installing a "backdoor" onto machines if launched.

An infected computer could allow attackers to get unauthorised access to a user's machine and use it to bring down websites, according to security experts.

It does not take advantage of any flaws in Windows software. Instead, many of the e-mails look like they have been sent from organisations like charities or educational institutions, to fool recipients into opening it.

The BBC's Jim Fish
"Microsoft appears to be the target of this version of the virus"

Q&A: The Mydoom virus
29 Jan 04  |  Technology
E-mail virus takes on new guise
30 Jan 04  |  Technology
Bounty on creators of e-mail worm
28 Jan 04  |  Technology
Mydoom virus 'biggest in months'
27 Jan 04  |  Technology
Linux users face licence cash call
16 Jan 04  |  Technology
Viruses turn to peer-to-peer nets
20 Jan 04  |  Technology
Fighting viruses on the frontline
22 Aug 03  |  Technology

The BBC is not responsible for the content of external internet sites


News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific