[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Tuesday, 10 February, 2004, 11:03 GMT
Mydoom mutants mount new attacks
Grab of Microsoft homepage
Microsoft is suffering another Mydoom attack
Two novel viruses are seeking to cash in on the success of the Mydoom virus.

These variants of the original bug are making their way around the net using Windows machines still infected by Mydoom.

The more widespread variant, called Doomjuice, launches a denial of service attack on the Microsoft.com website.

The other variant, dubbed Deadhat, uninstalls other versions of Mydoom it finds and then tries to cripple a PC's anti-virus protection.

Attack damage

Unlike the original Mydoom.A virus, neither Doomjuice or Deadhat travel via e-mail.

Instead, both randomly scan net addresses and upload themselves to any infected machines they find.

They can spread this way because Mydoom opened up backdoors on infected machines to allow the creator of the virus to remotely control any compromised PC.

So far anti-virus firms report that Doomjuice is having more success in spreading to the 75,000 or so machines still thought to be infected with Mydoom.A.

At its peak Mydoom.A was believed to have infected about a million Windows PCs.

Security firms suspect that Doomjuice was written by the author of the original Mydoom.A virus as it loads a copy of the bug's source code on machines it manages to find.

According to anti-virus firm F-Secure, this tactic is to hinder investigations.

"Before the Doomjuice incident, only the authors of Mydoom.A had the original source code," said Mikko Hypponen, director of anti-virus research at F-Secure, "now probably tens of thousands of people have it on their hard drive, without knowing it."

Once this is done the virus launches an attack on the Microsoft.com website by repeatedly trying to load the site's front page.

Big hitter

According to net monitoring firm Netcraft this attack may have been responsible for disrupting the smooth running of the Microsoft website on Monday morning when it was temporarily unavailable.

If Doomjuice is responsible for this outage, then it has been more successful than the Mydoom.B variant which did not spread widely and caused Microsoft little trouble.

In preparation for these attacks Microsoft has created a mirror of its site in case the main domain is overwhelmed. It has also changed a key property of the site in case it quickly has to move to a new address.

In contrast to this success the Deadhat virus is not thought to be widespread.

If this virus finds an infected machine it removes any copies of Mydoom.A and Mydoom.B that are resident, installs itself and then attempts to stop the computer running anti-virus software or getting updates to protect itself against future infections.

According to statistics gathered by mail filtering firm MessageLabs, Mydoom.A has now become the most active virus of all time.

In the 16 days since it first appeared the company has caught more than 38m copies of it.

By contrast it has only managed to grab 33m copies of Sobig.F that appeared in August 2003.


SEE ALSO:
Mydoom virus starts to fizzle out
04 Feb 04  |  Technology
Mydoom cripples US firm's website
01 Feb 04  |  Technology
Mydoom virus 'biggest in months'
27 Jan 04  |  Technology
No end in sight to Mydoom virus
02 Feb 04  |  Technology
Bounty on creators of e-mail worm
28 Jan 04  |  Technology
Viruses make criminal move
31 Dec 03  |  Technology


RELATED INTERNET LINKS:
The BBC is not responsible for the content of external internet sites


PRODUCTS AND SERVICES

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific