Mydoom creator hunt intensifies

The Mydoom virus tries to trick people into clicking on it

The hunt for whoever was behind the Mydoom e-mail worm, and its sibling Mydoom.B, has intensified with a $250,000 reward offered by Microsoft.

But analysts warned the longer it took to collect clues, the harder it would be to identify and find the author.

A Microsoft spokesperson said its goal in offering the bounty was to pressurise the virus writing community to "rat out" whoever was responsible.

Experts said Mydoom.A and B made up to 30% of all e-mail traffic at its peak.

It has beaten all previously records for virus infections, according to security experts.

'Ratting out'

Security firm MessageLabs told BBC News Online it had now stopped about 8.1 million copies of Mydoom since it was unleashed onto the net on Monday.

"In some cases, we have been intercepting around 130,000 copies per hour, but it has been reasonably stable. The volume goes up when the US comes online," explained Paul Wood, chief information security analyst at MessageLabs.

MYDOOM DETAILS From: random e-mail address To: address of the recipient Subject: random words Message body: several different mail error messages, such as: Mail transaction failed. Partial message is available Attachment (with a textfile icon): random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension When a user clicks on the attachment, the worm will start Notepad, filled with random characters Mydoom questions? Click here

He said the US was still experiencing the biggest problem with the worm, with 35% of infected e-mails coming from there.

Microsoft has joined SCO, the original target of Mydoom.A, in offering a $250,000 bounty for information leading to the arrest and conviction of those responsible for the Mydoom.B variant of the worm.

Microsoft said it was prepared for the attack, due to hit the main Microsoft website on 1 February, but was worried about the inconvenience it could cause to users.

"The goal here is to put the pressure on those in the virus writing community to really rat out their friends to stop them doing this," Microsoft's Sean Sundall explained to the BBC.

"This reward is just for the B variant, and the reason we did that is because we see that variant as particularly hideous."

The original variant, Mydoom.A, is also scheduled to target SCO's website on 1 February until 12 February.

SCO has been involved in a legal row with the open-source community, after claiming versions of the Linux operating system used code it said it owned.

Bragging to mates

Microsoft defended the relatively low bounty, saying it had put a lot of thought into the amount.

"We worked with law enforcement on the amount, and really they are the experts on what amount triggers what kind of behaviour, and what is too much," Mr Sundall said.

PROTECT YOURSELF FROM VIRUSES Install an anti-virus program. Keep it up to date Get the latest patches and updates for your operating system Never automatically open e-mail attachments Download or purchase software from trusted, reputable sources Make backups of important files

But MessageLabs' Mr Wood said he suspected the bounty would not necessarily have an effect.

"The kind of lessons we have learned from Sobig and the investigation is that those investigating will know that they have a limited time period to get as many clues a possible," he said.

"But when people start bragging about their exploits they expose themselves."

He said law enforcement agencies involved in the investigation would be closely cooperating at an international level.

They would be scrutinising any clues in the worm's code to check if the author had a certain style similar to any previous viruses.

Backdoor access

Mydoom, also known as Novarg or Shimgapi, arrives as an e-mail attachment which sends itself out to other addresses if opened, and may allow unauthorised access to computers.

It only affects computers using Microsoft Windows and also spreads through file-sharing networks, like Kazaa, installing a "backdoor" onto machines if launched.

An infected computer could allow attackers to get unauthorised access to a user's machine and use it to bring down websites, according to security experts.

It does not take advantage of any flaws in Windows software. Instead, many of the e-mails look like they have been sent from organisations like charities or educational institutions, to fool recipients into opening it.