Feb 22, 2005 (09:02 AM EST)
Predicted Wave Of Worms Hits, Then Dissipates

Read the Original Article at InformationWeek

The predicted wave of MyDooms continued through the weekend, security firms reported, and a new edition of Sober, the German-made worm that continues to bedevil users, made the rounds with some success.

Last week, when MyDoom.bc appeared, a security analyst at Computer Associated noted that the worm had a history of rolling out several variants in succession, then taking a break. "MyDooms usually come in a string of four or five in a row that use essentially the same code," said Sam Curry, vice president of Computer Associates' eTrust security group, last Thursday.

That's exactly what happened. Late Friday and over the weekend, McAfee tracked three new copy-cats, and dubbed them MyDoom.bd, MyDoom.be, and MyDoom.bf. Like Thursday's MyDoom.bc, the .bd and .be variants were tagged as "medium" threats by the Santa Clara, Calif.-based anti-virus vendor.

The new variations are virtually identical to MyDoom.bc, and even earlier editions going back as far as the summer of 2004 and MyDoom.o, said analysts Tuesday.

"[These] MyDooms are the latest in a prolific family, and follow on the heels of last week's MyDoom.au," said Curry Tuesday. (Computer Associates' nomenclature for the variants is somewhat different than McAfee's.) "They exhibit the same tricks and mode of operation as other MyDooms as far back as the 'O' variant, relying on social engineering to trick the innocent into engaging them and continuing the infection."

MyDoom worms are infamous for the wide variety of tricks they apply to get people to launch the attached file, which is, of course, the malicious code payload. The newest versions sport a message that purports to come from the user's Internet service provider (ISP).

"We have found that your e-mail account was used to send a huge amount of spam messages during this week," the bogus messages begin. "We suspect that your computer had been infected and now contains a hidden proxy server. Please follow the instruction in the attached file in order to keep your computer safe."

MyDoom, which has been particularly pervasive, keeps appearing in part because its source code has been circulating among hackers.

"The public availability of the MyDoom source code makes it ripe for worm authors to churn out an almost endless number of variants," said Scott Chasin, the chief technology executive at MX Logic, in an e-mail. "The result is that anyone can use the source code to develop a variant, create an army of zombie PCs with spam and worm distribution capabilities," he added.

MyDoom wasn't the only Internet pest to plague users over the three-day weekend. Another version of Sober, the German-made worm that harks back to October 2003, appeared Sunday and quickly began spreading, particularly in Europe, said the U.K.-based security firm Sophos.

Sober.k, as Sophos dubbed the worm, follows the typical pattern of arriving in either English or German versions, and using several different subject headings and message bodies to get victims to open the payload.

Some copies of Sober.k, in fact, offer free access to X-rated videos of society party girl Paris Hilton, while others take an even sneakier route by using subject headings of "Alert! New Sober Worm!" according to analysis by Symantec and others.

That last spoof carries a return address of security@microsoft.com, and includes text that reads, "ATTENTION! Antivirus vendors are warning of a new variant of the "Sober" virus discovered today that can delete the hard disk. Protection: Download and read the zipped patch. It's very easy to install! (c)2005 Microsoft Corporation. All rights reserved--- Microsoft Corporation--- One Microsoft Way--- Redmond, Washington 98052-6399"

Microsoft has repeatedly told users that it never sends security-related messages with attached files, and has warned them against opening such files.

"Although much-publicized past outbreaks should have made users more nervous of double-clicking on unsolicited attachments, some still find it hard to resist," said Graham Cluley, the senior technology consultant for Sophos, in a statement.

According to Cluley, by early Tuesday, Sober.k accounted for about 1 in every 10 viruses spotted in the past 24 hours. Only the Netsky.p and Zafi.d worms showed up more frequently.

The worm, however, seems to be fading almost as quickly as it rose to prominence, said Alex Shipp, a senior anti-virus analyst for MessageLabs, an e-mail filtering firm also based in the U.K.

"It's biggest spike was this morning," he said Tuesday, "as workers got into their offices. Even though it first appeared yesterday, some copies would have sat in in-boxes until today."

By the end of the British working day Tuesday, however, Sober.k was "dying off," added Shipp.