TechWeb

MyDoom.f Spreads, Deletes Files

Feb 25, 2004 (11:02 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=18200558


MyDoom.f, discovered last Friday, continues to spread, security experts said Wednesday--but unlike other variants of the persistent worm, it can wreak havoc on the infected machine by randomly deleting files, including documents created with Microsoft Word and Excel.

"This worm is being sighted in larger numbers, suggesting that not all computers are properly protected," said Graham Cluley, senior technology consultant at Sophos.

MyDoom.f, whose payload arrives in an attached file in an E-mail message with a large number of possible subject lines--including "Read this," "Your order is being processed," and "Bug"--installs malicious code that, among other tasks, conducts denial-of-service attacks against Microsoft.com and RIAA.com.

The RIAA site is the Internet home of the Recording Industry Association of America, the group responsible for bringing lawsuits against illegal music file sharers. Early Tuesday, AlertSite, a Web-monitoring firm, reported that RIAA.com showed a significant drop in performance due to the attack; between 9 a.m. and noon Tuesday, the site was available only about 74% of the time.

"It appears that the site was affected yesterday by the traffic generated by this latest revision of MyDoom," said Ken Godskind, VP at AlertSite. By Wednesday morning, RIAA.com had recovered and was available approximately 92% of the time, Godskind said.

Microsoft's Web site, which has been the target of numerous denial-of-service attacks over the past several weeks thanks to MyDoom variations, wasn't affected by this latest worm's assault.

MyDoom.f, which has been rated as a medium-level threat by most anti-virus firms, takes the MyDoom motif—denial-of-service attacks, the creation of a backdoor on the infected machine for possible use as a spam proxy--and ups the ante by randomly deleting a number of file types on the compromised system.

MyDoom.f targets a variety of image files, as well as Microsoft Word documents and Excel worksheets, said security professionals. The full list of the file types targeted is: mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp.

"It deletes files with various levels of success," said Ken Dunham, the director of malicious code research at iDefense, "but it seems it manages to delete Word files about 40% of the time."

This is the first MyDoom variant that's had a direct, destructive impact on local machines infected with the worm.

Most experts believe the author of MyDoom.f is a different individual than the creator of the original worm, thanks to clues in the code, and its destructive spin. "The source code for MyDoom was planted by Doomjuice," said Dunham, "and here you go. It's not surprising that variants continue to show up."

Although anti-virus firms have updated their definition files to take MyDoom.f into account--deflecting it and destroying it when found--users not guarded by anti-virus software who think their machines may be infected can download automated removal tools from such sources as Symantec and F-Secure.